Table of Contents

• Title and Copyright Information
• Preface
  • Audience
  • Related Documents
  • Conventions
• Changes in This Release for Oracle AI Database Security Guide
  • Changes in Oracle AI Database Security 26ai
    • Oracle Deep Data Security
    • Preparing for FIPS 140-3 Compliance
    • Constrained Kerberos Configuration
    • Multi-Factor Authentication Now Available
    • Transport Layer Security 1.3 Protocol Now Supported in Oracle Database
    • Simplified Transport Layer Security Configuration
    • Schema Privileges to Simplify Access Control
    • Oracle SQL Firewall is Now Built into Oracle AI Database
    • Increased Maximum Password Length
    • Read-Only Users and Sessions
    • New Database Role for Application Developers
    • Oracle Data Dictionary Protection Extended to Non-SYS Oracle Schemas with Separation of Duties Protection
    • Strict DN Matching with Both Listener and Server Certificates
    • Ability to Configure Transport Layer Security Connections without Client Wallets
    • Updated Kerberos Library and Other Improvements
    • Improved and More Secure Local Auto-Login Wallets
    • New sqlnet.ora Parameter to Prevent the Use of Deprecated Ciphers
    • Enhancements to RADIUS Configuration
    • Enhancements to the DBMS_CRYPTO PL/SQL Package
    • Authenticating and Authorizing IAM Users to Oracle Autonomous AI Database on Dedicated Exadata Infrastructure
    • Ability of Azure Users to Log in to Oracle AI Database with Their Azure AD OAAuth2 Access Token
    • Ability to Audit Object Actions at the Column Level for Tables and Views
    • Consolidation of the FIPS_140 Parameter
    • Desupport of Case Insensitive Passwords
    • Desupport of Traditional Auditing
  • Updates to Oracle AI Database Security 26ai
    • New Procedure for Oracle SQL Firewall DBMS_SQL_FIREWALL PL/SQL Package
    • DBMS_CRYPTO Support for SM2, SM3, SM4, and SHA-3 Cryptographic Algorithms
    • orapki Enhancements
    • Microsoft Entra ID (Azure AD) Integration Enhancements
• 1 Introduction to Oracle AI Database Security
  • About Oracle AI Database Security
  • Additional Oracle AI Database Security Products
• Part I Managing User Authentication and Authorization
  • 2 Managing Security for Oracle AI Database Users
    • About User Security
    • Creating User Accounts
      • About Common Users and Local Users
        • About Common Users
        • How Plugging in PDBs Affects CDB Common Users
        • About Local Users
      • Who Can Create User Accounts?
      • Creating a New User Account That Has Minimum Database Privileges
      • Restrictions on Creating the User Name for a New Account
        • Uniqueness of User Names
        • User Names in a Multitenant Environment
        • Case Sensitivity for User Names
      • Assignment of User Passwords
      • Default Tablespace for the User
        • About Assigning a Default Tablespace for a User
        • DEFAULT TABLESPACE Clause for Assigning a Default Tablespace
      • Tablespace Quotas for a User
        • About Assigning a Tablespace Quota for a User
        • CREATE USER Statement for Assigning a Tablespace Quota
        • Restriction of the Quota Limits for User Objects in a Tablespace
        • Grants to Users for the UNLIMITED TABLESPACE System Privilege
      • Temporary Tablespaces for the User
        • About Assigning a Temporary Tablespace for a User
        • TEMPORARY TABLESPACE Clause for Assigning a Temporary Tablespace
      • Profiles for the User
      • Creation of a Common User or a Local User
        • About Creating Common User Accounts
        • CREATE USER Statement for Creating a Common User Account
        • About Creating Local User Accounts
        • CREATE USER Statement for Creating a Local User Account
      • Creating a Default Role for the User
    • Altering User Accounts
      • About Altering User Accounts
      • Methods of Altering Common or Local User Accounts
      • Changing Non-SYS User Passwords
        • About Changing Non-SYS User Passwords
        • Using the PASSWORD Command or ALTER USER Statement to Change a Password
      • Changing the SYS User Password
        • About Changing the SYS User Password
        • ORAPWD Utility for Changing the SYS User Password
    • Configuring User Resource Limits
      • About User Resource Limits
      • Types of System Resources and Limits
        • Limits to the User Session Level
        • Limits to Database Call Levels
        • Limits to CPU Time
        • Limits to Logical Reads
        • Limits to Other Resources
      • Values for Resource Limits of Profiles
      • Managing Resources with Profiles
        • About Profiles
        • ORA_CIS_PROFILE User Profile
        • ORA_STIG_PROFILE User Profile
        • Creating a Profile
        • Creating a CDB Profile or an Application Profile
        • Assigning a Profile to a User
        • Dropping Profiles
      • Common Mandatory Profiles in the CDB Root
        • About Common Mandatory Profiles in the CDB Root
        • Creating a Common Mandatory Profile in the CDB Root
        • Example: Function to Enforce Minimum Password Length
    • Dropping User Accounts
      • About Dropping User Accounts
      • Terminating a User Session
      • About Dropping a User After the User Is No Longer Connected to the Database
      • Dropping a User Whose Schema Contains Objects
    • Predefined Schema User Accounts Provided by Oracle Database
      • About the Predefined Schema User Accounts
      • Predefined Administrative Accounts
      • Predefined Non-Administrative User Accounts
      • Predefined Sample Schema User Accounts
    • Database User and Profile Data Dictionary Views
      • Data Dictionary Views That List Information About Users and Profiles
      • Query to Find All Users and Associated Information
      • Query to List All Tablespace Quotas
      • Query to List All Profiles and Assigned Limits
      • Query to View Memory Use for Each User Session
  • 3 Configuring Authentication
    • About Authentication
    • Configuring Password Protection
      • What Are the Oracle AI Database Built-in Password Protections?
      • Minimum Requirements for Passwords
      • Creating a Password by Using the IDENTIFIED BY Clause
      • Using a Password Management Policy
        • About Managing Passwords
        • Finding User Accounts That Have Default Passwords
        • Password Settings in the Default Profile
        • Using the ALTER PROFILE Statement to Modify Profile Limits
        • Disabling and Enabling the Default Password Security Settings
        • Automatically Locking Inactive Database User Accounts
        • Automatically Locking User Accounts After a Specified Number of Failed Log-in Attempts
        • Example: Locking an Account with the CREATE PROFILE Statement
        • Explicitly Locking a User Account with the CREATE USER or ALTER USER Statement
        • Controlling the User Ability to Reuse Previous Passwords
        • About Controlling Password Aging and Expiration
        • Setting a Password Lifetime
        • Checking the Status of a User Account
        • Password Change Life Cycle
        • PASSWORD_LIFE_TIME Profile Parameter Low Value
      • Managing Gradual Database Password Rollover for Applications
        • About Managing Gradual Database Password Rollover for Applications
        • Password Change Life Cycle During a Gradual Database Password Rollover
        • Enabling the Gradual Database Password Rollover
        • Changing a Password to Begin the Gradual Database Password Rollover Period
        • Changing a Password During the Gradual Database Password Rollover Period
        • Ending the Password Rollover Period
        • Database Behavior During the Gradual Password Rollover Period
        • Database Server Behavior After the Password Rollover Period Ends
        • Guideline for Handling Compromised Passwords
        • How Gradual Database Password Rollover Works During Oracle Data Pump Exports
        • Using Gradual Database Password Rollover in an Oracle Data Guard Environment
        • Finding Users Who Still Use Their Old Passwords
      • Managing the Complexity of Passwords
        • About Password Complexity Verification
        • How Oracle Database Checks the Complexity of Passwords
        • Who Can Use the Password Complexity Functions?
        • ora12c_verify_function Password Requirements
        • ora12c_strong_verify_function Function Password Requirements
        • ora12c_stig_verify_function Password Requirements
        • About Customizing Password Complexity Verification
        • Enabling Password Complexity Verification
      • Managing Password Case Sensitivity
        • Management of Case Sensitivity for Secure Role Passwords
        • Management of Password Versions of Users
        • Finding and Resetting User Passwords That Use the 10G Password Version
        • How Case Sensitivity Affects Password Files
        • How Case Sensitivity Affects Passwords Used in Database Link Connections
      • Ensuring Against Password Security Threats by Using the 12C Password Version
        • About the 12C Version of the Password Hash
        • Oracle Database 12C Password Version Configuration Guidelines
        • Configuring Oracle Database to Use the 12C Password Version Exclusively
        • How Server and Client Logon Versions Affect Database Links
        • Configuring Oracle Database Clients to Use the 12C Password Version Exclusively
      • Managing the Secure External Password Store for Password Credentials
        • About the Secure External Password Store
        • How Does the Secure External Password Store Work?
        • About Configuring Clients to Use the Secure External Password Store
        • Configuring a Client to Use the Secure External Password Store
        • Example: Sample sqlnet.ora File with Wallet Parameters Set
        • Managing External Password Store Credentials
          • Listing External Password Store Contents
          • Adding Credentials to an External Password Store
          • Modifying Credentials in an External Password Store
          • Deleting Credentials from an External Password Store
        • Creating SQL*Loader Object Store Credentials
      • Managing Passwords for Administrative Users
        • About Managing Passwords for Administrative Users
        • Setting the LOCK and EXPIRED Status of Administrative Users
        • Password Profile Settings for Administrative Users
        • Last Successful Login Time for Administrative Users
        • Management of the Password File of Administrative Users
        • Migration of the Password File of Administrative Users
        • How the Multitenant Option Affects Password Files for Administrative Users
        • Password Complexity Verification Functions for Administrative Users
    • Authentication of Database Administrators
      • About Authentication of Database Administrators
      • Strong Authentication, Centralized Management for Administrators
        • About Strong Authentication for Database Administrators
        • Configuring Directory Authentication for Administrative Users
        • Configuring Kerberos Authentication for Administrative Users
      • Authentication of Database Administrators by Using the Operating System
      • Authentication of Database Administrators by Using Their Passwords
      • Risks of Using Password Files for Database Administrator Authentication
    • Database Authentication of Users
      • About Database Authentication of Users
      • Advantages of Database Authentication
      • Creating Users Who Are Authenticated by the Database
    • Configuring Multi-Factor Authentication
      • MFA Push Notifications
        • Cisco Duo
        • Oracle Mobile Authenticator (OMA)
        • MFA External Account Updates and Cleanup
      • MFA Certificate-based Authentication
      • Auditing Multi-factor Authentication Failures
      • Database Links and Multi-factor Authentication
    • Schema-Only Accounts
      • About Schema-Only Accounts
      • Creating a Schema-Only Account
      • Altering a Schema-Only Account
    • Configuring Operating System Users for a PDB
      • About Configuring Operating System Users for a PDB
      • PDB_OS_CREDENTIAL Initialization Parameter
      • Configuring an Operating System User for a PDB
      • Setting the Default Credential in a PDB
    • External (Non-Database) User Authentication and Access to the Database
      • External Authentication with Local Database Authorization
        • About External Authentication with Local Database Authorization
        • Operating System Authentication
        • Kerberos Authentication
        • Public Key Infrastructure Centificate Authentication
        • RADIUS Authentication
      • External Authentication with External Authorization
        • About External Authentication with External Authorization
        • Centrally Managed Users with Microsoft Active Directory
        • Microsoft Entra ID Integration
        • Oracle Cloud Infrastructure Identity and Access Management Integration
        • Oracle Enterprise User Security
    • Multitier Authentication and Authorization
    • Administration and Security in Clients, Application Servers, and Database Servers
    • Preserving User Identity in Multitiered Environments
      • Middle Tier Server Use for Proxy Authentication
        • About Proxy Authentication
        • Advantages of Proxy Authentication
        • Who Can Create Proxy User Accounts?
        • Guidelines for Creating Proxy User Accounts
        • Creating Proxy User Accounts and Authorizing Users to Connect Through Them
        • Proxy User Accounts and the Authorization of Users to Connect Through Them
        • Using Proxy Authentication with the Secure External Password Store
        • How the Identity of the Real User Is Passed with Proxy Authentication
        • Limits to the Privileges of the Middle Tier
        • Authorizing a Middle Tier to Proxy and Authenticate a User
        • Authorizing a Middle Tier to Proxy a User Authenticated by Other Means
        • Reauthenticating a User Through the Middle Tier to the Database
        • Using Password-Based Proxy Authentication
        • Using Proxy Authentication with Enterprise Users
      • Using Client Identifiers to Identify Application Users Unknown to the Database
        • About Client Identifiers
        • How Client Identifiers Work in Middle Tier Systems
        • Use of the CLIENT_IDENTIFIER Attribute to Preserve User Identity
        • Use of the CLIENT_IDENTIFIER Independent of Global Application Context
        • Setting the CLIENT_IDENTIFIER Independent of Global Application Context
        • Use of the DBMS_SESSION PL/SQL Package to Set and Clear the Client Identifier
        • Enabling the CLIENTID_OVERWRITE Event System-Wide
        • Enabling the CLIENTID_OVERWRITE Event for the Current Session
        • Disabling the CLIENTID_OVERWRITE Event
    • User Authentication Data Dictionary Views
  • 4 Configuring Privilege and Role Authorization
    • About Privileges and Roles
    • Privilege and Role Grants in a CDB
      • About Privilege and Role Grants in a CDB
      • Principles of Privilege and Role Grants in a CDB
      • Privileges and Roles Granted Locally in a CDB
      • What Makes a Privilege or Role Grant Local
      • Roles and Privileges Granted Locally
      • Roles and Privileges Granted Commonly in a CDB
      • What Makes a Grant Common
      • Roles and Privileges Granted Commonly
      • Grants to PUBLIC in a CDB
      • Grants of Privileges and Roles: Scenario
    • Who Should Be Granted Privileges?
    • How the Oracle Multitenant Option Affects Privileges
    • Managing Administrative Privileges
      • About Administrative Privileges
      • Grants of Administrative Privileges to Users
      • SYSDBA and SYSOPER Privileges for Standard Database Operations
      • Forcing oracle Users to Enter a Password When Logging in as SYSDBA
      • SYSBACKUP Administrative Privilege for Backup and Recovery Operations
      • SYSDG Administrative Privilege for Oracle Data Guard Operations
      • SYSKM Administrative Privilege for Transparent Data Encryption
      • SYSRAC Administrative Privilege for Oracle Real Application Clusters
    • Managing System Privileges
      • About System Privileges
      • Who Can Grant or Revoke System Privileges?
      • Why Is It Important to Restrict System Privileges?
        • About the Importance of Restricting System Privileges
        • User Access to Objects in the SYS Schema
      • Grants and Revokes of System Privileges
      • About ANY Privileges and the PUBLIC Role
    • Managing Schema Privileges
      • About Managing Schema Privileges
      • Privileges That Are Excluded from Schema Privilege Grants
      • Granting a Schema Privilege
      • Revoking a Schema Privilege
    • Administering Schema Security Policies
      • About Administering Schema System Security Policies
      • Granting an Administrator Schema Security Policy
      • Revoking an Administrator Security Policy
    • Managing Privileges to Enable Diagnostics
    • Managing Commonly and Locally Granted Privileges
      • About Commonly and Locally Granted Privileges
      • How Commonly Granted System Privileges Work
      • How Commonly Granted Object Privileges Work
      • Granting or Revoking Privileges to Access a PDB
      • Example: Granting a Privilege to a Common User
      • Enabling Common Users to View CONTAINER_DATA Object Information
        • Viewing Data About the Root, CDB, and PDBs While Connected to the Root
        • Enabling Common Users to Query Data in Specific PDBs
    • Managing User Roles
      • About User Roles
        • What Are User Roles?
        • The Functionality of Roles
        • Properties of Roles and Why They Are Advantageous
        • Typical Uses of Roles
        • Common Uses of Application Roles
        • Common Uses of User Roles
        • How Roles Affect the Scope of a User's Privileges
        • How Roles Work in PL/SQL Blocks
          • Roles Used in Named Blocks with Definer's Rights
          • Roles Used in Named Blocks with Invoker's Rights and Anonymous PL/SQL Blocks
        • How Roles Aid or Restrict DDL Usage
        • How Operating Systems Can Aid Roles
        • How Roles Work in a Distributed Environment
      • Predefined Roles in an Oracle AI Database Installation
      • Creating a Role
        • About the Creation of Roles
        • Creating a Role That Is Authenticated With a Password
        • Creating a Role That Has No Password Authentication
        • Creating a Role That Is External or Global
        • Altering a Role
      • Specifying the Type of Role Authorization
        • Authorizing a Role by Using the Database
        • Authorizing a Role by Using an Application
        • Authorizing a Role by Using an External Source
        • Authorizing a Role by Using the Operating System
        • Authorizing a Role by Using a Network Client
        • Authorizing a Global Role by an Enterprise Directory Service
      • Granting and Revoking Roles
        • About Granting and Revoking Roles
        • Who Can Grant or Revoke Roles?
        • Granting and Revoking Roles to and from Program Units
      • Dropping Roles
      • Restricting SQL*Plus Users from Using Database Roles
        • Potential Security Problems of Using Ad Hoc Tools
        • How the PRODUCT_USER_PROFILE System Table Can Limit Roles
        • How Stored Procedures Can Encapsulate Business Logic
      • Role Privileges and Secure Application Roles
    • Managing Common Roles and Local Roles
      • About Common Roles and Local Roles
      • Common Roles in a CDB
      • How Common Roles Work
      • How the PUBLIC Role Works in a Multitenant Environment
      • Privileges Required to Create, Modify, or Drop a Common Role
      • Rules for Creating Common Roles
      • Creating a Common Role
      • Rules for Creating Local Roles
      • Local Roles in a CDB
      • Creating a Local Role
      • Role Grants and Revokes for Common Users and Local Users
    • Restricting Operations on PDBs Using PDB Lockdown Profiles
      • About PDB Lockdown Profiles
      • How PDB Lockdown Profiles Work
      • PDB_OS_CREDENTIAL Initialization Parameter
      • Features That Benefit from PDB Lockdown Profiles
      • PDB Lockdown Profile Inheritance
      • Default PDB Lockdown Profiles
      • Creating a PDB Lockdown Profile
      • Enabling or Disabling a PDB Lockdown Profile
      • Dropping a PDB Lockdown Profile
    • Managing Object Privileges
      • About Object Privileges
      • Who Can Grant Object Privileges?
      • Grants and Revokes of Object Privileges
        • About Granting and Revoking Object Privileges
        • How the ALL Clause Grants or Revokes All Available Object Privileges
      • READ and SELECT Object Privileges
        • About Managing READ and SELECT Object Privileges
        • Enabling Users to Use the READ Object Privilege to Query Any Table in the Database
        • Restrictions on the READ and READ ANY TABLE Privileges
      • Object Privilege Use with Synonyms
      • Sharing Application Common Objects
        • Metadata-Linked Application Common Objects
        • Data-Linked Application Common Objects
        • Extended Data-Linked Application Common Objects
    • Managing Dictionary Protection for Oracle-Maintained Schemas
      • About Managing Dictionary Protection for Oracle-Maintained Schemas
      • Enabling Dictionary Protection in an Oracle-Maintained Schema
      • Disabling Dictionary Protection in an Oracle-Maintained Schema
    • Table Privileges
      • How Table Privileges Affect Data Manipulation Language Operations
      • How Table Privileges Affect Data Definition Language Operations
    • View Privileges
      • Privileges Required to Create Views
      • Privileges to Query Views in Other Schemas
      • The Use of Views to Increase Table Security
    • Procedure Privileges
      • The Use of the EXECUTE Privilege for Procedure Privileges
      • Procedure Execution and Security Domains
      • System Privileges Required to Create or Replace a Procedure
      • System Privileges Required to Compile a Procedure
      • How Procedure Privileges Affect Packages and Package Objects
        • About the Effect of Procedure Privileges on Packages and Package Objects
        • Example: Procedure Privileges Used in One Package
        • Example: Procedure Privileges and Package Objects
    • Type Privileges
      • System Privileges for Named Types
      • Object Privileges for Named Types
      • Method Execution Model for Named Types
      • Privileges Required to Create Types and Tables Using Types
      • Example: Privileges for Creating Types and Tables Using Types
      • Privileges on Type Access and Object Access
      • Type Dependencies
    • Grants of User Privileges and Roles
      • Granting System Privileges and Roles to Users and Roles
        • Privileges for Grants of System Privileges and Roles to Users and Roles
        • Example: Granting a System Privilege and a Role to a User
        • Example: Granting the EXECUTE Privilege on a Directory Object
        • Use of the ADMIN Option to Enable Grantee Users to Grant the Privilege
        • Creating a New User with the GRANT Statement
      • Granting Object Privileges to Users and Roles
        • About Granting Object Privileges to Users and Roles
        • How the WITH GRANT OPTION Clause Works
        • Grants of Object Privileges on Behalf of the Object Owner
        • Grants of Privileges on Columns
        • Row-Level Access Control
    • Revokes of Privileges and Roles from a User
      • Revokes of System Privileges and Roles
      • Revokes of Object Privileges
        • About Revokes of Object Privileges
        • Revokes of Multiple Object Privileges
        • Revokes of Object Privileges on Behalf of the Object Owner
        • Revokes of Column-Selective Object Privileges
        • Revokes of the REFERENCES Object Privilege
      • Cascading Effects of Revoking Privileges
        • Cascading Effects When Revoking System Privileges
        • Cascading Effects When Revoking Object Privileges
    • Grants and Revokes of Privileges to and from the PUBLIC Role
    • Grants of Roles Using the Operating System or Network
      • About Granting Roles Using the Operating System or Network
      • Operating System Role Identification
      • Operating System Role Management
      • Role Grants and Revokes When OS_ROLES Is Set to TRUE
      • Role Enablements and Disablements When OS_ROLES Is Set to TRUE
      • Network Connections with Operating System Role Management
    • How Grants and Revokes Work with SET ROLE and Default Role Settings
      • When Grants and Revokes Take Effect
      • How the SET ROLE Statement Affects Grants and Revokes
      • Specifying the Default Role for a User
      • The Maximum Number of Roles That a User Can Have Enabled
    • Configuring Read-Only Users
    • User Privilege and Role Data Dictionary Views
      • Data Dictionary Views to Find Information about Privilege and Role Grants
      • Query to List All System Privilege Grants
      • Query to List Schema Privilege Grants
      • Query to List All Role Grants
      • Query to List Object Privileges Granted to a User
      • Query to List the Current Privilege Domain of Your Session
      • Query to List Roles of the Database
      • Query to List Information About the Privilege Domains of Roles
  • 5 Performing Privilege Analysis to Identify Privilege Use
    • What Is Privilege Analysis?
      • About Privilege Analysis
      • Benefits and Use Cases of Privilege Analysis
        • Least Privileges Best Practice
        • Development of Secure Applications
      • Who Can Perform Privilege Analysis?
      • Types of Privilege Analysis
      • How Does a Multitenant Environment Affect Privilege Analysis?
      • How Privilege Analysis Works with Pre-Compiled Database Objects
    • Creating and Managing Privilege Analysis Policies
      • About Creating and Managing Privilege Analysis Policies
      • General Steps for Managing Privilege Analysis
      • Creating a Privilege Analysis Policy
      • Examples of Creating Privilege Analysis Policies
        • Example: Privilege Analysis of Database-Wide Privileges
        • Example: Privilege Analysis of Privilege Usage of Two Roles
        • Example: Privilege Analysis of Privileges During SQL*Plus Use
        • Example: Privilege Analysis of PSMITH Privileges During SQL*Plus Access
      • Enabling a Privilege Analysis Policy
      • Disabling a Privilege Analysis Policy
      • Generating a Privilege Analysis Report
        • About Generating a Privilege Analysis Report
        • General Process for Managing Multiple Named Capture Runs
        • Generating a Privilege Analysis Report Using DBMS_PRIVILEGE_CAPTURE
        • Generating a Privilege Analysis Report Using Cloud Control
        • Accessing Privilege Analysis Reports Using Cloud Control
      • Dropping a Privilege Analysis Policy
    • Creating Roles and Managing Privileges Using Cloud Control
      • Creating a Role from a Privilege Analysis Report in Cloud Control
      • Revoking and Regranting Roles and Privileges Using Cloud Control
      • Generating a Revoke or Regrant Script Using Cloud Control
        • About Generating Revoke and Regrant Scripts
        • Generating a Revoke Script
        • Generating a Regrant Script
    • Tutorial: Using Capture Runs to Analyze ANY Privilege Use
      • Step 1: Create User Accounts
      • Step 2: Create and Enable a Privilege Analysis Policy
      • Step 3: Use the READ ANY TABLE System Privilege
      • Step 4: Disable the Privilege Analysis Policy
      • Step 5: Generate and View a Privilege Analysis Report
      • Step 6: Create a Second Capture Run
      • Step 7: Remove the Components for This Tutorial
    • Tutorial: Analyzing Privilege Use by a User Who Has the DBA Role
      • Step 1: Create User Accounts
      • Step 2: Create and Enable a Privilege Analysis Policy
      • Step 3: Perform the Database Tuning Operations
      • Step 4: Disable the Privilege Analysis Policy
      • Step 5: Generate and View Privilege Analysis Reports
      • Step 6: Remove the Components for This Tutorial
    • Tutorial: Capturing Schema Privilege Use
      • Step 1: Create User Accounts
      • Step 2: Create and Enable a Privilege Analysis Policy
      • Step 3: Use the READ ANY TABLE System Privilege
      • Step 4: Disable the Privilege Analysis Policy
      • Step 5: Generate and View Privilege Analysis Reports
      • Step 6: Remove the Components for This Tutorial
    • Privilege Analysis Policy and Report Data Dictionary Views
  • 6 Configuring Centrally Managed Users with Microsoft Active Directory
    • Introduction to Centrally Managed Users with Microsoft Active Directory
      • About the Oracle AI Database-Microsoft Active Directory Integration
      • How Centrally Managed Users with Microsoft Active Directory Works
      • Centrally Managed User-Microsoft Active Directory Architecture
      • Supported Authentication Methods
      • Users Supported by Centrally Managed Users with Microsoft Active Directory
      • How the Oracle Multitenant Option Affects Centrally Managed Users
      • Centrally Managed Users with Database Links
    • Configuring the Oracle Database-Microsoft Active Directory Integration
      • About Configuring the Oracle Database-Microsoft Active Directory Connection
      • Connecting to Microsoft Active Directory
        • Step 1: Create an Oracle Service Directory User Account on Microsoft Active Directory and Grant Permissions
        • Step 2: For Password Authentication, Install the Password Filter and Extend the Microsoft Active Directory Schema
        • Step 3: If Necessary, Install the Oracle Database Software
        • Step 4: Create the dsi.ora or ldap.ora File
          • Comparison of the dsi.ora and ldap.ora Files
          • About Using a dsi.ora File
          • Creating the dsi.ora File
          • About Using an ldap.ora File
          • Creating the ldap.ora File
        • Step 5: Request an Active Directory Certificate for a Secure Connection
        • Step 6: Create the Wallet for a Secure Connection
        • Step 7: Configure the Microsoft Active Directory Connection
          • About Configuring the Microsoft Active Directory Connection
          • Configuring the Access Manually Using Database System Parameters
          • Configuring the Access Using the Database Configuration Assistant GUI
          • Configuring the Access Using Database Configuration Assistant Silent Mode
        • Step 8: Verify the Oracle Wallet
        • Step 9: Test the Integration
    • Configuring Authentication for Centrally Managed Users
      • Configuring Password Authentication for Centrally Managed Users
        • About Configuring Password Authentication for Centrally Managed Users
        • Configuring Password Authentication for a Centrally Managed User
        • Logging in to an Oracle Database Using Password Authentication
      • Configuring Proxy Authentication for Centrally Managed Users
        • About Configuring Proxy Authentication for Centrally Managed Users
        • Configuring Proxy Authentication for the Centrally Managed User
        • Validating the Centrally Managed User Proxy Authentication
      • Configuring Kerberos Authentication for Centrally Managed Users
      • Configuring Authentication Using PKI Certificates for Centrally Managed Users
    • Configuring Authorization for Centrally Managed Users
      • About Configuring Authorization for Centrally Managed Users
      • Mapping a Directory Group to a Shared Database Global User
      • Mapping a Directory Group to a Global Role
      • Exclusively Mapping a Directory User to a Database Global User
      • Altering or Migrating a User Mapping Definition
      • Configuring Administrative Users
        • Configuring Database Administrative Users with Shared Access Accounts
        • Configuring Database Administrative Users Using Exclusive Mapping
      • Verifying the Centrally Managed User Logon Information
    • Integration of Oracle Database with Microsoft Active Directory Account Policies
    • Configuring Centrally Managed Users with Oracle Autonomous Database
    • Troubleshooting Centrally Managed Users
      • ORA-01017 Connection Errors
      • ORA-28274 Connection Errors
      • ORA-28276 Connection Errors
      • ORA-28300 Connection Errors
      • Using Trace Files to Diagnose CMU Connection Errors
  • 7 Authenticating and Authorizing IAM Users for Oracle AI Database
    • Introduction to Authenticating and Authorizing IAM Users for Oracle DBaaS
      • About Authenticating and Authorizing IAM Users for Oracle DBaaS
      • Architecture of the IAM Integration with Oracle DBaaS
      • IAM Users and Groups to Map with Oracle DBaaS
    • Configuring Oracle DBaaS for IAM
      • Enabling External Authentication for Oracle DBaaS
      • Configuring Authorization for IAM Users and Oracle Cloud Infrastructure Applications
        • About Configuring Authorization for IAM Users and Oracle Cloud Infrastructure Applications
        • Mapping an IAM Group to a Shared Oracle Database Global User
        • Mapping an IAM Group to an Oracle Database Global Role
        • Exclusively Mapping an IAM User to an Oracle Database Global User
        • Altering or Migrating an IAM User Mapping Definition
        • Mapping Instance and Resource Principals
        • Verifying the IAM User Logon Information
      • Configuring IAM Proxy Authentication
        • About Configuring IAM Proxy Authentication
        • Configuring Proxy Authentication for the IAM User
        • Validating the IAM User Proxy Authentication
    • Configuring IAM for Oracle DBaaS
      • Creating an IAM Policy to Authorize Users Authenticating with Tokens
      • Creating an IAM Database Password
    • Accessing the Database Using an Instance Principal or a Resource Principal
    • Configuring the Database Client Connection
      • About Connecting to an Oracle AI Database Instance Using IAM
      • Supported Client Drivers for IAM Connections
      • Using Centralized Oracle Cloud Infrastructure Services for Net Naming and Secrets
      • Client Connections That Use an IAM Database Password Verifier
      • Client Connections That Use a Token Requested by an IAM User Name and Database Password
        • About Client Connections That Use a Token Requested by an IAM User Name and Database Password
        • Parameters to Set for Client Connections That Use a Token Requested by an IAM User Name and Database Password
        • Configuring the Database Client to Retrieve a Token Using an IAM User Name and Database Password
        • Configuring a Secure External Password Store Wallet to Retrieve an IAM Token
      • Client Connections That Use a Token Requested by a Client Application or Tool
      • TLS Connections without Client Wallets
      • Enabling Clients to Directly Retrieve IAM Tokens
      • Common Database Client Configurations
        • Configuring a Client Connection for SQL*Plus That Uses an IAM Database Password
        • Configuring a Client Connection for SQL*Plus That Uses an IAM Token
      • Using OCI Object Store for Network Service Configuration Information
    • Accessing a Database Cross-Tenancy Using an IAM Integration
      • About Cross-Tenancy Access for IAM Users to DBaaS Instances
      • Configuring Policies
        • Configuring the Source User Tenancy
        • Configuring the Target Database Resource Tenancy
        • Policy Examples for Cross-Tenancy Access
      • Mapping Database Schemas and Roles to Users and Groups in Another Tenancy
      • Configuring Database Clients for Cross-Tenancy Access
      • Requesting Cross-Tenancy Tokens Using the OCI Command-Line Interface
    • Database Links in an Oracle DBaaS-to-IAM Integration
    • Troubleshooting IAM Connections
      • Areas to Check on the Client-Side for ORA-01017 Errors
      • Database Client Trace Files
      • Check in the Oracle Cloud Infrastructure IAM and the Oracle Database for ORA-01017 Errors
      • ORA-01017 Errors Caused by Improperly Configured IAM Users
      • ORA-12599 and ORA-03114 Errors Caused When Trying to Access a Database Using a Token
      • Actions IAM Administrators Can Take to Address ORA-01017 Errors
  • 8 Authenticating and Authorizing Microsoft Azure Users for Oracle AI Databases
    • Introduction to Oracle Database Integration with Microsoft Entra ID
      • About Integrating Oracle AI Database with Microsoft Entra ID
      • Architecture of Oracle Database Integration with Microsoft Entra ID
      • Azure Users Mapping to an Oracle AI Database Schema and Roles
      • Use Cases for Connecting to an Oracle Database Using Entra ID
      • General Process of Authenticating Microsoft Entra ID Identities with Oracle AI Database
    • Configuring the Oracle Database for Microsoft Entra ID Integration
      • Oracle AI Database Requirements for the Microsoft Entra ID Integration
      • Registering the Oracle AI Database Instance with a Microsoft Entra ID Tenancy
      • Enabling Microsoft Entra ID v2 Access Tokens
      • Managing App Roles in Microsoft Entra ID
        • Creating a Microsoft Entra ID App Role
        • Assigning Users and Groups to the Microsoft Entra ID App Role
        • Assigning an Application to an App Role
      • Enabling Entra ID External Authentication for Oracle Database
      • Disabling Entra ID External Authentication for Oracle Database
    • Mapping Oracle Database Schemas and Roles
      • Exclusively Mapping an Oracle Database Schema to a Microsoft Azure User
      • Mapping a Shared Oracle Schema to an App Role
      • Mapping an Oracle Database Global Role to an App Role
    • Configuring Entra ID Client Connections to the Oracle Database
      • About Configuring Client Connections to Entra ID
      • Operational Flow for SQL*Plus Client Connection to Oracle AI Database Using Microsoft Entra ID OAuth2 Token
      • Supported Client Drivers for Entra ID Connections
      • Registering a Client with Entra ID Application Registration
        • Confidential and Public Client Registration
        • Registering a Database Client App with Entra ID
      • Configuration of Clients to Work with Microsoft Entra ID Tokens
        • Configuring Clients to Work with Microsoft Entra ID Tokens
        • Enabling Clients to Directly Retrieve Entra ID Tokens
        • Client Credential Flow
        • Enabling Clients to Retrieve Entra ID Tokens from a File Location
        • Using Azure App Configuration Store for Network Service Configuration Information
      • Examples of Retrieving Entra ID OAuth2 Tokens Outside an Oracle Database Client
        • About Examples of Retrieving Microsoft Entra ID OAuth2 Tokens Outside of an Oracle Database Client
        • Example: Requesting a Token Using a Python Script for the Interactive (Authorization) Flow
        • Example: Requesting a Token Using Azure CLI for the Interactive (Authorization) Flow
        • Requesting a Token Using the Azure CLI for the Client Credential Flow
      • Creating a Network Proxy for the Database to Connect with the Internet
        • About Creating a Network Proxy for the Database to Connect with the Internet
        • Testing the Accessibility of the Entra ID Endpoint
        • Creating the Network Proxy for the Default Oracle Database Environment
        • Creating the Network Proxy for an Oracle Real Application Clusters Environment
        • Creating the Network Proxy in the Windows Registry Editor
      • Using Centralized Entra ID Services for Net Naming and Secrets
    • Configuring Microsoft Entra ID Proxy Authentication
      • About Configuring Microsoft Entra ID Proxy Authentication
      • Configuring Proxy Authentication for the Azure User
      • Validating the Azure User Proxy Authentication
    • Configuring Microsoft Power BI Single-Sign On
      • About Configuring Microsoft Power BI Single-Sign On
      • Configuring the Oracle Database
      • Authorizing the User
      • Connecting Power BI to Oracle Database using Microsoft Entra ID
    • Troubleshooting Microsoft Entra ID Connections
      • Trace Files for Troubleshooting Oracle Database Client Connections with Entra ID
        • About Trace Files Used for Troubleshooting Connections
        • Setting Client Tracing for Token Authentication
      • ORA-12599 and ORA-03114 Errors Caused When Trying to Access a Database Using a Token
      • Checking the Entra ID Access Token Version
  • 9 Managing Security for Definer's Rights and Invoker's Rights
    • About Definer's Rights and Invoker's Rights
    • How Procedure Privileges Affect Definer's Rights
    • How Procedure Privileges Affect Invoker's Rights
    • When You Should Create Invoker's Rights Procedures
    • Controlling Invoker's Rights Privileges for Procedure Calls and View Access
      • How the Privileges of a Schema Affect the Use of Invoker's Rights Procedures
      • How the INHERIT [ANY] PRIVILEGES Privileges Control Privilege Access
      • Grants of the INHERIT PRIVILEGES Privilege to Other Users
      • Example: Granting INHERIT PRIVILEGES on an Invoking User
      • Example: Revoking INHERIT PRIVILEGES
      • Grants of the INHERIT ANY PRIVILEGES Privilege to Other Users
      • Example: Granting INHERIT ANY PRIVILEGES to a Trusted Procedure Owner
      • Managing INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES
    • Definer's Rights and Invoker's Rights in Views
      • About Controlling Definer's Rights and Invoker's Rights in Views
      • Using the BEQUEATH Clause in the CREATE VIEW Statement
      • Finding the User Name or User ID of the Invoking User
      • Finding BEQUEATH DEFINER and BEQUEATH_CURRENT_USER Views
    • Using Code Based Access Control for Definer's Rights and Invoker's Rights
      • About Using Code Based Access Control for Applications
      • Who Can Grant Code Based Access Control Roles to a Program Unit?
      • How Code Based Access Control Works with Invoker's Rights Program Units
      • How Code Based Access Control Works with Definer's Rights Program Units
      • Grants of Database Roles to Users for Their CBAC Grants
      • Grants and Revokes of Database Roles to a Program Unit
      • Tutorial: Controlling Access to Sensitive Data Using Code Based Access Control
        • About This Tutorial
        • Step 1: Create the User and Grant HR the CREATE ROLE Privilege
        • Step 2: Create the print_employees Invoker's Rights Procedure
        • Step 3: Create the hr_clerk Role and Grant Privileges for It
        • Step 4: Test the Code Based Access Control HR.print_employees Procedure
        • Step 5: Create the view_emp_role Role and Grant Privileges for It
        • Step 6: Test the HR.print_employees Procedure Again
        • Step 7: Remove the Components of This Tutorial
    • Controlling Definer's Rights Privileges for Database Links
      • About Controlling Definer's Rights Privileges for Database Links
      • Grants of the INHERIT REMOTE PRIVILEGES Privilege to Other Users
      • Example: Granting INHERIT REMOTE PRIVILEGES on a Connected User
      • Grants of the INHERIT ANY REMOTE PRIVILEGES Privilege to Other Users
      • Revokes of the INHERIT [ANY] REMOTE PRIVILEGES Privilege
      • Example: Revoking the INHERIT REMOTE PRIVILEGES Privilege
      • Example: Revoking the INHERIT REMOTE PRIVILEGES Privilege from PUBLIC
      • Tutorial: Using a Database Link in a Definer's Rights Procedure
        • About This Tutorial
        • Step 1: Create User Accounts
        • Step 2: As User dbuser2, Create a Table to Store User IDs
        • Step 3: As User dbuser1, Create a Database Link and Definer's Rights Procedure
        • Step 4: Test the Definer's Rights Procedure
        • Step 5: Remove the Components of This Tutorial
  • 10 Managing Fine-Grained Access in PL/SQL Packages and Types
    • About Managing Fine-Grained Access in PL/SQL Packages and Types
    • About Fine-Grained Access Control to External Network Services
    • About Access Control to Oracle Wallets
    • Upgraded Applications That Depend on Packages That Use External Network Services
    • Configuring Access Control for External Network Services
      • Syntax for Configuring Access Control for External Network Services
      • Enabling the Listener to Recognize Access Control for External Network Services
      • Example: Configuring Access Control for External Network Services
      • Revoking Access Control Privileges for External Network Services
      • Example: Revoking External Network Services Privileges
    • Configuring Access Control to an Oracle Wallet
      • About Configuring Access Control to an Oracle Wallet
      • Step 1: Configure the Operating System Certificate Store as the Default Wallet Path
      • Step 2: Configure Access Control Privileges for the Oracle Wallet
      • Step 3: Make the HTTP Request with the Passwords and Client Certificates
        • Making the HTTPS Request with the Passwords and Client Certificates
        • Using a Request Context to Hold the Wallet When Sharing the Session with Other Applications
        • Use of Only a Client Certificate to Authenticate
        • Use of a Password to Authenticate
      • Revoking Access Control Privileges for Oracle Wallets
      • Troubleshooting ORA-29024 Errors
    • Examples of Configuring Access Control for External Network Services
      • Example: Configuring Access Control for a Single Role and Network Connection
      • Example: Configuring Access Control for a User and Role
      • Example: Using the DBA_HOST_ACES View to Show Granted Privileges
      • Example: Configuring ACL Access Using Passwords in a Non-Shared Wallet
      • Example: Configuring ACL Access for a Wallet in a Shared Database Session
    • Specifying a Group of Network Host Computers
    • Precedence Order for a Host Computer in Multiple Access Control List Assignments
    • Precedence Order for a Host in Access Control List Assignments with Port Ranges
    • Checking Privilege Assignments That Affect User Access to Network Hosts
      • About Privilege Assignments that Affect User Access to Network Hosts
      • How to Check User Network Connection and Domain Privileges
      • Example: Administrator Checking User Network Access Control Permissions
      • How Users Can Check Their Network Connection and Domain Privileges
      • Example: User Checking Network Access Control Permissions
    • Configuring Network Access for Java Debug Wire Protocol Operations
    • Data Dictionary Views for Access Control Lists Configured for User Access
  • 11 Managing Security for a Multitenant Environment in Enterprise Manager
    • About Managing Security for a Multitenant Environment in Enterprise Manager
    • Logging into a Multitenant Environment in Enterprise Manager
      • Logging into a CDB or a PDB
      • Switching to a Different PDB or to the Root
    • Managing Common and Local Users in Enterprise Manager
      • Creating a Common User Account in Enterprise Manager
      • Editing a Common User Account in Enterprise Manager
      • Dropping a Common User Account in Enterprise Manager
      • Creating a Local User Account in Enterprise Manager
      • Editing a Local User Account in Enterprise Manager
      • Dropping a Local User Account in Enterprise Manager
    • Managing Common and Local Roles and Privileges in Enterprise Manager
      • Creating a Common Role in Enterprise Manager
      • Editing a Common Role in Enterprise Manager
      • Dropping a Common Role in Enterprise Manager
      • Revoking Common Privilege Grants in Enterprise Manager
      • Creating a Local Role in Enterprise Manager
      • Editing a Local Role in Enterprise Manager
      • Dropping a Local Role in Enterprise Manager
      • Revoking Local Privilege Grants in Enterprise Manager
• Part II Application Development Security
  • 12 Managing Security for Application Developers
    • About Application Security Policies
    • Considerations for Using Application-Based Security
      • Are Application Users Also Database Users?
      • Is Security Better Enforced in the Application or in the Database?
    • Use of the DB_DEVELOPER_ROLE Role for Application Developers
    • Securing Passwords in Application Design
      • General Guidelines for Securing Passwords in Applications
        • Platform-Specific Security Threats
        • Guidelines for Designing Applications to Handle Password Input
        • Guidelines for Configuring Password Formats and Behavior
        • Guidelines for Handling Passwords in SQL Scripts
      • Use of an External Password Store to Secure Passwords
      • Securing Passwords Using the ORAPWD Utility
      • Example: Java Code for Reading Passwords
    • Securing External Procedures
      • About Securing External Procedures
      • General Process for Configuring extproc for a Credential Authentication
      • extproc Process Authentication and Impersonation Expected Behaviors
      • Configuring Authentication for External Procedures
      • External Procedures for Legacy Applications
    • Securing LOBs with LOB Locator Signatures
      • About Securing LOBs with LOB Locator Signatures
      • Managing the Encryption of a LOB Locator Signature Key
    • Managing Application Privileges
    • Advantages of Using Roles to Manage Application Privileges
    • Creating Secure Application Roles to Control Access to Applications
      • Step 1: Create the Secure Application Role
      • Step 2: Create a PL/SQL Package to Define the Access Policy for the Application
        • About Creating a PL/SQL Package to Define the Access Policy for an Application
        • Creating a PL/SQL Package or Procedure to Define the Access Policy for an Application
        • Testing the Secure Application Role
    • Association of Privileges with User Database Roles
      • Why Users Should Only Have the Privileges of the Current Database Role
      • Use of the SET ROLE Statement to Automatically Enable or Disable Roles
    • Protecting Database Objects by Using Schemas
      • Protecting Database Objects in a Unique Schema
      • Protection of Database Objects in a Shared Schema
    • Object Privileges in an Application
      • What Application Developers Must Know About Object Privileges
      • SQL Statements Permitted by Object Privileges
    • Parameters for Enhanced Security of Database Communication
      • Bad Packets Received on the Database from Protocol Errors
      • Controlling Server Execution After Receiving a Bad Packet
      • Configuration of the Maximum Number of Authentication Attempts
      • Configuring the Display of the Database Version Banner
      • Configuring Banners for Unauthorized Access and Auditing User Actions
• Part III Controlling Access to Data
  • 13 Using Application Contexts to Retrieve User Information
    • About Application Contexts
      • What Is an Application Context?
      • Components of the Application Context
      • Where Are the Application Context Values Stored?
      • Benefits of Using Application Contexts
      • How Editions Affects Application Context Values
      • Application Contexts in a Multitenant Environment
    • Types of Application Contexts
    • Using Database Session-Based Application Contexts
      • About Database Session-Based Application Contexts
      • Components of a Database Session-Based Application Context
      • Creating Database Session-Based Application Contexts
        • About Creating Database Session-Based Application Contexts
        • Creating a Database Session-Based Application Context
        • Database Session-Based Application Contexts for Multiple Applications
      • Creating a Package to Set a Database Session-Based Application Context
        • About the Package That Manages the Database Session-Based Application Context
        • Using the SYS_CONTEXT Function to Retrieve Session Information
        • Checking the SYS_CONTEXT Settings
        • Dynamic SQL with SYS_CONTEXT
        • SYS_CONTEXT in a Parallel Query
        • SYS_CONTEXT with Database Links
        • DBMS_SESSION.SET_CONTEXT for Setting Session Information
        • Example: Simple Procedure to Create an Application Context Value
      • Logon Triggers to Run a Database Session Application Context Package
      • Example: Creating a Simple Logon Trigger
      • Example: Creating a Logon Trigger for a Production Environment
      • Example: Creating a Logon Trigger for a Development Environment
      • Tutorial: Creating and Using a Database Session-Based Application Context
        • Step 1: Create User Accounts and Ensure the User SCOTT Is Active
        • Step 2: Create the Database Session-Based Application Context
        • Step 3: Create a Package to Retrieve Session Data and Set the Application Context
        • Step 4: Create a Logon Trigger for the Package
        • Step 5: Test the Application Context
        • Step 6: Remove the Components of This Tutorial
      • Initializing Database Session-Based Application Contexts Externally
        • About Initializing Database Session-Based Application Contexts Externally
        • Default Values from Users
        • Values from Other External Resources
        • Example: Creating an Externalized Database Session-based Application Context
        • Initialization of Application Context Values from a Middle-Tier Server
      • Initializing Database Session-Based Application Contexts Globally
        • About Initializing Database Session-Based Application Contexts Globally
        • Database Session-Based Application Contexts with LDAP
        • How Globally Initialized Database Session-Based Application Contexts Work
        • Initializing a Database Session-Based Application Context Globally
      • Externalized Database Session-Based Application Contexts
    • Global Application Contexts
      • About Global Application Contexts
      • Uses for Global Application Contexts
      • Components of a Global Application Context
      • Global Application Contexts in an Oracle Real Application Clusters Environment
      • Creating Global Application Contexts
        • Ownership of the Global Application Context
        • Creating a Global Application Context
      • PL/SQL Package to Manage a Global Application Context
        • About the Package That Manages the Global Application Context
        • How Editions Affects the Results of a Global Application Context PL/SQL Package
        • DBMS_SESSION.SET_CONTEXT username and client_id Parameters
        • Sharing Global Application Context Values for All Database Users
        • Example: Package to Manage Global Application Values for All Database Users
        • Global Contexts for Database Users Who Move Between Applications
        • Global Application Context for Nondatabase Users
        • Example: Package to Manage Global Application Context Values for Nondatabase Users
        • Clearing Session Data When the Session Closes
      • Embedding Calls in Middle-Tier Applications to Manage the Client Session ID
        • About Managing Client Session IDs Using a Middle-Tier Application
        • Step 1: Retrieve the Client Session ID Using a Middle-Tier Application
        • Step 2: Set the Client Session ID Using a Middle-Tier Application
          • About Setting the Client Session ID Using a Middle-Tier Application
          • Setting the Client Session ID Using a Middle-Tier Application
          • Checking the Value of the Client Identifier
        • Step 3: Clear the Session Data Using a Middle-Tier Application
      • Tutorial: Creating a Global Application Context That Uses a Client Session ID
        • About This Tutorial
        • Step 1: Create User Accounts
        • Step 2: Create the Global Application Context
        • Step 3: Create a Package for the Global Application Context
        • Step 4: Test the Newly Created Global Application Context
        • Step 5: Modify the Session ID and Test the Global Application Context Again
        • Step 6: Remove the Components of This Tutorial
      • Global Application Context Processes
        • Simple Global Application Context Process
        • Global Application Context Process for Lightweight Users
    • Using Client Session-Based Application Contexts
      • About Client Session-Based Application Contexts
      • Setting a Value in the CLIENTCONTEXT Namespace
      • Retrieving the CLIENTCONTEXT Namespace
      • Example: Retrieving a Client Session ID Value for Client Session-Based Contexts
      • Clearing a Setting in the CLIENTCONTEXT Namespace
      • Clearing All Settings in the CLIENTCONTEXT Namespace
    • Application Context Data Dictionary Views
  • 14 Using Oracle Virtual Private Database to Control Data Access
    • About Oracle Virtual Private Database
      • What Is Oracle Virtual Private Database?
      • Benefits of Using Oracle Virtual Private Database Policies
        • Security Policies Based on Database Objects Rather Than Applications
        • Control Over How Oracle Database Evaluates Policy Functions
      • Who Can Create Oracle Virtual Private Database Policies?
      • Privileges to Run Oracle Virtual Private Database Policy Functions
      • Oracle Virtual Private Database Use with an Application Context
      • Oracle Virtual Private Database in a Multitenant Environment
    • Components of an Oracle Virtual Private Database Policy
      • Function to Generate the Dynamic WHERE Clause
      • Policies to Attach the Function to the Objects You Want to Protect
    • Configuration of Oracle Virtual Private Database Policies
      • About Oracle Virtual Private Database Policies
      • Attaching a Policy to a Database Table, View, or Synonym
      • Example: Attaching a Simple Oracle Virtual Private Database Policy to a Table
      • Enforcing Policies on Specific SQL Statement Types
      • Example: Specifying SQL Statement Types with DBMS_RLS.ADD_POLICY
      • Control of the Display of Column Data with Policies
        • Policies for Column-Level Oracle Virtual Private Database
        • Example: Creating a Column-Level Oracle Virtual Private Database Policy
        • Display of Only the Column Rows Relevant to the Query
        • Column Masking to Display Sensitive Columns as NULL Values
        • Example: Adding Column Masking to an Oracle Virtual Private Database Policy
      • Oracle Virtual Private Database Policy Groups
        • About Oracle Virtual Private Database Policy Groups
        • Creation of a New Oracle Virtual Private Database Policy Group
        • Default Policy Group with the SYS_DEFAULT Policy Group
        • Multiple Policies for Each Table, View, or Synonym
        • Validation of the Application Used to Connect to the Database
      • Optimizing Performance by Using Oracle Virtual Private Database Policy Types
        • About Oracle Virtual Private Database Policy Types
        • Dynamic Policy Type to Automatically Rerun Policy Functions
        • Example: Creating a DYNAMIC Policy with DBMS_RLS.ADD_POLICY
        • Static Policy to Prevent Policy Functions from Rerunning for Each Query
        • Example: Creating a Static Policy with DBMS_RLS.ADD_POLICY
        • Example: Shared Static Policy to Share a Policy with Multiple Objects
        • When to Use Static and Shared Static Policies
        • Context-Sensitive Policy for Application Context Attributes That Change
        • Example: Creating a Context-Sensitive Policy with DBMS_RLS.ADD_POLICY
        • Example: Refreshing Cached Statements for a VPD Context-Sensitive Policy
        • Example: Altering an Existing Context-Sensitive Policy
        • Example: Using a Shared Context Sensitive Policy to Share a Policy with Multiple Objects
        • When to Use Context-Sensitive and Shared Context-Sensitive Policies
        • Summary of the Five Oracle Virtual Private Database Policy Types
    • Tutorials: Creating Oracle Virtual Private Database Policies
      • Tutorial: Creating a Simple Oracle Virtual Private Database Policy
        • About This Tutorial
        • Step 1: Ensure That the OE User Account Is Active
        • Step 2: Create a Policy Function
        • Step 3: Create the Oracle Virtual Private Database Policy
        • Step 4: Test the Policy
        • Step 5: Remove the Components of This Tutorial
      • Tutorial: Implementing a Session-Based Application Context Policy
        • About This Tutorial
        • Step 1: Create User Accounts and Sample Tables
        • Step 2: Create a Database Session-Based Application Context
        • Step 3: Create a PL/SQL Package to Set the Application Context
        • Step 4: Create a Logon Trigger to Run the Application Context PL/SQL Package
        • Step 5: Test the Logon Trigger
        • Step 6: Create a PL/SQL Policy Function to Limit User Access to Their Orders
        • Step 7: Create the New Security Policy
        • Step 8: Test the New Policy
        • Step 9: Remove the Components of This Tutorial
      • Tutorial: Implementing an Oracle Virtual Private Database Policy Group
        • About This Tutorial
        • Step 1: Create User Accounts and Other Components for This Tutorial
        • Step 2: Create the Two Policy Groups
        • Step 3: Create PL/SQL Functions to Control the Policy Groups
        • Step 4: Create the Driving Application Context
        • Step 5: Add the PL/SQL Functions to the Policy Groups
        • Step 6: Test the Policy Groups
        • Step 7: Remove the Components of This Tutorial
    • How Oracle Virtual Private Database Works with Other Oracle Features
      • Oracle Virtual Private Database Policies with Editions
      • SELECT FOR UPDATE Statement in User Queries on VPD-Protected Tables
      • Oracle Virtual Private Database Policies and Outer or ANSI Joins
      • Oracle Virtual Private Database Security Policies and Applications
      • Automatic Reparsing for Fine-Grained Access Control Policies Functions
      • Oracle Virtual Private Database Policies and Flashback Queries
      • Oracle Virtual Private Database and Oracle Label Security
        • Using Oracle Virtual Private Database to Enforce Oracle Label Security Policies
        • Oracle Virtual Private Database and Oracle Label Security Exceptions
      • Export of Data Using the EXPDP Utility access_method Parameter
      • Oracle Virtual Private Database Policies and Oracle Flashback Time Travel
      • User Models and Oracle Virtual Private Database
      • Oracle Virtual Private Database and JSON
    • Oracle Virtual Private Database Data Dictionary Views
  • 15 Using Transparent Sensitive Data Protection
    • About Transparent Sensitive Data Protection
    • General Steps for Using Transparent Sensitive Data Protection
    • Benefits of Transparent Sensitive Data Protection Policies
    • Privileges Required for Using Transparent Sensitive Data Protection
    • How a Multitenant Environment Affects Transparent Sensitive Data Protection
    • Creating Transparent Sensitive Data Protection Policies
      • Step 1: Create a Sensitive Type
      • Step 2: Identify the Sensitive Columns to Protect
      • Step 3: Import the Sensitive Columns List from ADM into Your Database
      • Step 4: Create the Transparent Sensitive Data Protection Policy
        • About Creating the Transparent Sensitive Data Protection Policy
        • Creating the Transparent Sensitive Data Protection Policy
        • Setting the Oracle Data Redaction or Virtual Private Database Feature Options
        • Setting Conditions for the Transparent Sensitive Data Protection Policy
        • Specifying the DBMS_TSDP_PROTECT.ADD_POLICY Procedure
      • Step 5: Associate the Policy with a Sensitive Type
      • Step 6: Enable the Transparent Sensitive Data Protection Policy
        • Enabling Protection for the Current Database in a Protected Source
        • Enabling Protection for a Specific Table Column
        • Enabling Protection for a Specific Column Type
      • Step 7: Optionally, Export the Policy to Other Databases
    • Altering Transparent Sensitive Data Protection Policies
    • Disabling Transparent Sensitive Data Protection Policies
    • Dropping Transparent Sensitive Data Protection Policies
    • Using the Predefined REDACT_AUDIT Policy for Redaction
      • About the REDACT_AUDIT Policy
      • Variables Associated with Sensitive Columns
        • About Variables Associated with Sensitive Columns
        • Bind Variables and Sensitive Columns in the Expressions of Conditions
        • A Bind Variable and a Sensitive Column Appearing in the Same SELECT Item
        • Bind Variables in Expressions Assigned to Sensitive Columns in INSERT or UPDATE Operations
      • How Bind Variables on Sensitive Columns Behave with Views
      • Disabling the REDACT_AUDIT Policy
      • Enabling the REDACT_AUDIT Policy
    • Transparent Sensitive Data Protection Policies with Data Redaction
    • Using Transparent Sensitive Data Protection Policies with Oracle VPD Policies
      • About Using TSDP Policies with Oracle Virtual Private Database Policies
      • DBMS_RLS.ADD_POLICY Parameters That Are Used for TSDP Policies
      • Tutorial: Creating a TSDP Policy That Uses Virtual Private Database Protection
        • Step 1: Create the hr_appuser User Account
        • Step 2: Identify the Sensitive Columns
        • Step 3: Create an Oracle Virtual Private Database Function
        • Step 4: Create and Enable a Transparent Sensitive Data Protection Policy
        • Step 5: Test the Transparent Sensitive Data Protection Policy
        • Step 6: Remove the Components of This Tutorial
    • Using Transparent Sensitive Data Protection Policies with Unified Auditing
      • About Using TSDP Policies with Unified Audit Policies
      • Unified Audit Policy Settings That Are Used with TSDP Policies
    • Using Transparent Sensitive Data Protection Policies with Fine-Grained Auditing
      • About Using TSDP Policies with Fine-Grained Auditing
      • Fine-Grained Auditing Parameters That Are Used with TSDP Policies
    • Using Transparent Sensitive Data Protection Policies with TDE Column Encryption
      • About Using TSDP Policies with TDE Column Encryption
      • TDE Column Encryption ENCRYPT Clause Settings Used with TSDP Policies
    • Transparent Sensitive Data Protection Data Dictionary Views
  • 16 Encryption of Sensitive Credential Data in the Data Dictionary
    • About Encrypting Sensitive Credential Data in the Data Dictionary
    • How the Multitenant Option Affects the Encryption of Sensitive Data
    • Encrypting Sensitive Credential Data in System Tables
    • Rekeying Sensitive Credential Data in the SYS.LINK$ System Table
    • Deleting Sensitive Credential Data in System Tables
    • Restoring the Functioning of Database Links After a Lost Keystore
    • Data Dictionary Views for Encrypted Data Dictionary Credentials
  • 17 Securing and Isolating Resources Using DbNest
    • About DbNest
    • How DbNest Works
      • Purpose of DbNest
      • Linux Namespaces
      • DbNest Properties
      • DbNest Architecture
      • User Interface for DbNest
        • DbNest Initialization Parameters
        • DbNest Configuration File
      • How Oracle Database Manages a Nest
    • Enabling DbNest
    • Configuring File System Isolation for a Database Nest
  • 18 On-Demand Encryption of Data
    • About On-Demand Encryption of Data
    • Security Problems That Encryption Does Not Solve
      • Principle 1: Encryption Does Not Solve Access Control Problems
      • Principle 2: Encryption Does Not Protect Against a Malicious Administrator
      • Principle 3: Encrypting Everything Does Not Make Data Secure
    • Data Encryption Challenges
      • Encrypted Indexed Data
      • Generated Encryption Keys
      • Transmitted Encryption Keys
      • Storing Encryption Keys
        • About Storing Encryption Keys
        • Storage of Encryption Keys in the Database
        • Storage of Encryption Keys in the Operating System
        • Users Managing Their Own Encryption Keys
        • Manual Encryption with Transparent Database Encryption and Tablespace Encryption
      • Importance of Changing Encryption Keys
      • Encryption of Binary Large Objects
    • Data Encryption Storage with the DBMS_CRYPTO Package
    • Asymmetric Key Operations with the DBMS_CRYPTO Package
    • Examples of Using the Data Encryption API
      • Example: Data Encryption Procedure
      • Example: AES 256-Bit Data Encryption and Decryption Procedures
      • Example: Encryption and Decryption Procedures for BLOB Data
      • Example: Encrypting or Decrypting a Number String
• Part IV Securing Data on the Network
  • 19 Securing Data for Oracle AI Database Connections
  • 20 Configuring Oracle AI Database Native Network Encryption and Data Integrity
    • About Oracle Database Native Network Encryption and Data Integrity
      • How Oracle Database Native Network Encryption and Integrity Works
      • Advanced Encryption Standard
      • Choosing Between Native Network Encryption and Transport Layer Security
    • Oracle Database Native Network Encryption Data Integrity
    • Data Encryption and Integrity sqlnet.ora Parameters
      • About the Data Encryption and Integrity Parameters
      • Sample sqlnet.ora File
    • Data Integrity Algorithms Support
    • Diffie-Hellman Based Key Negotiation
    • Configuration of Data Encryption and Integrity
      • About Activating Encryption and Integrity
      • About Negotiating Encryption and Integrity
        • About the Values for Negotiating Encryption and Integrity
        • REJECTED Configuration Parameter
        • ACCEPTED Configuration Parameter
        • REQUESTED Configuration Parameter
        • REQUIRED Configuration Parameter
      • Configuring Encryption and Integrity Parameters Using Oracle Net Manager
        • Configuring Encryption on the Client and the Server
        • Configuring Integrity on the Client and the Server
        • Enabling Both Oracle Native Encryption and SSL Authentication for Different Users Concurrently
          • About Enabling Both Oracle Native Encryption and SSL Authentication for Different Users Concurrently
          • Configuring Both Oracle Native Encryption and SSL Authentication for Different Users Concurrently
    • Troubleshooting the Native Network Encryption Configuration
      • Checking if Native Network Encryption Is Enabled in the Current Session
      • ORA-12650 and ORA-12660 Errors in the Native Network Encryption Configuration
  • 21 Configuring Transport Layer Security Encryption
    • Transport Layer Security (TLS) and the Oracle Database
      • Self-signed Certificate vs Public Certificate Authority (CA) Signed Certificate
      • One-way TLS vs Mutual TLS
      • TLS With or Without a Client Wallet
      • Certificate DN Matching
      • Post-Quantum Cryptography
    • Configuring TLS for the Oracle Database and Client
      • About Configuring TLS for the Oracle Database
      • Configuring TLS Using a Public Certificate Authority Root of Trust for the Database Server Certificate
      • Configuring TLS with a Self-Signed Root Certificate
      • Configuring TLS Connection With a Client Wallet
      • Enabling Distinguished Name (DN) Matching
    • Advanced and Optional Configurations
      • Optional Parameters for Transport Layer Security
      • Mutual Transport Layer Security (mTLS)
        • Server Certificate DN Matching
      • Oracle Wallet Location
        • Configuring Wallet Location for the Client
        • Configuring Wallet Location for the Listener
        • Configuring PDB Wallet Location for server
        • Oracle Wallet Search Order
      • Enable Weak DN Matching
      • Private Key/Certificate Selection
        • Setting the SSL_CERTIFICATE_ALIAS Parameter
        • Setting the SSL_CERTIFICATE_THUMBPRINT Parameter
        • Setting the SSL_EXTENDED_KEY_USAGE Parameter
      • Transport Layer Security Encryption Combined with Authentication Methods
      • Specifying TLS Protocol and TLS Cipher Suites
        • Configuring TLS Protocol Versions
        • Configuring TLS Cipher Suites
          • Strong TLS Cipher Suites
          • Deprecated TLS Cipher Suites
          • Enabling Weak Cipher Suites
        • Allowing Certificates from Earlier Algorithms
        • Configuring TLS Key Exchange Algorithms
      • Certificate Validation with Certificate Revocation Lists
        • About Certificate Validation with Certificate Revocation Lists
        • What CRLs Should You Use?
        • How CRL Checking Works
        • Configuring Certificate Validation with Certificate Revocation Lists
          • About Configuring Certificate Validation with Certificate Revocation Lists
          • Enabling Certificate Revocation Status Checking for the Client or Server
          • Disabling Certificate Revocation Status Checking
        • Certificate Revocation List Management
          • About Certificate Revocation List Management
          • Displaying orapki Help for Commands That Manage CRLs
          • Renaming CRLs with a Hash Value for Certificate Validation
          • Uploading CRLs to Oracle Internet Directory
          • Listing CRLs Stored in Oracle Internet Directory
          • Viewing CRLs in Oracle Internet Directory
          • Deleting CRLs from Oracle Internet Directory
        • Troubleshooting CRL Certificate Validation
        • Oracle Net Tracing File Error Messages Associated with Certificate Validation
    • TLS and Other Oracle Products
      • Transport Layer Security Connections in an Oracle Real Application Clusters Environment
        • Step 1: Configure TCPS Protocol Endpoints
        • Step 2: Ensure That the LOCAL_LISTENER Parameter Is Correctly Set on Each Node
        • Step 3: Create Transport Layer Security Wallets and Certificates
          • Oracle Real Application Clusters Components That Need Certificates
          • Creating Transport Layer Security Wallets and Certificates
        • Step 4: Create a Wallet in Each Node of the Oracle RAC Cluster
        • Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files
        • Step 6: Restart the Database Instances and Listeners
        • Step 7: Test the Cluster Node Configuration
        • Step 8: Test the Remote Client Configuration
    • Troubleshooting the Transport Layer Security Configuration
    • Migrating to and Configuring Transport Layer Security Version 1.3
• Part V Managing Strong Authentication
  • 22 Introduction to Strong Authentication
    • What Is Strong Authentication?
    • Centralized Authentication and Single Sign-On
    • How Centralized Network Authentication Works
    • Supported Strong Authentication Methods
      • About Kerberos
      • About Remote Authentication Dial-In User Service (RADIUS)
      • About Transport Layer Security
    • Oracle Database Native Network Encryption/Strong Authentication Architecture
    • System Requirements for Strong Authentication
    • Oracle Database Native Network Encryption and Strong Authentication Restrictions
  • 23 Strong Authentication Administration Tools
    • About the Configuration and Administration Tools
    • Native Network Encryption and Strong Authentication Configuration Tools
      • About Oracle Net Manager
      • Kerberos Adapter Command-Line Utilities
    • orapki Utility for Public Key Infrastructure Credentials Management
    • Duties of Strong Authentication Administrators
  • 24 Configuring Kerberos Authentication
    • Introduction to Kerberos on Oracle Database
      • Kerberos Components in a Typical Oracle Database Configuration
      • Tickets Used in the Kerberos Configuration
        • Kerberos Client Ticket Granting Ticket
        • Kerberos Client Service Ticket
      • Kerberos Server Key Distribution Center
      • How Oracle Database Works with Kerberos
      • How to Securely Use Database Links with Kerberos and Microsoft Active Directory
      • Oracle Database Parameters Used in a Kerberos Configuration
      • How Authentication Works in an Oracle Database Kerberos Configuration
    • Enabling Kerberos Authentication
      • Step 1: Install Kerberos
      • Step 2: Configure a Service Principal for an Oracle Database Server
      • Step 3: Extract a Service Key Table from Kerberos
      • Step 4: Install an Oracle Database Server and an Oracle Client
      • Step 5: Configure Oracle Net Services and Oracle Database
      • Step 6: Configure Kerberos Authentication
        • Step 6A: Configure Kerberos on the Client and on the Database Server
        • Step 6B: Set the Initialization Parameters
        • Step 6C: Set sqlnet.ora Parameters (Optional)
        • Step 6D: Configure Kerberos to Use TCP or UDP (Optional)
      • Step 7: Create a Kerberos User
      • Step 8: Create an Externally Authenticated Oracle User
      • Step 9: Get an Initial Ticket for the Kerberos/Oracle User
    • Utilities for the Kerberos Authentication Adapter
      • okinit Utility Options for Obtaining the Initial Ticket
      • oklist Utility Options for Displaying Credentials
      • okdstry Utility Options for Removing Credentials from the Cache File
      • okcreate Utility Options for Automatic Keytab Creation
    • Connecting to an Oracle Database Server Authenticated by Kerberos
    • Configuring Interoperability with Microsoft Windows Server Domain Controller KDC
      • About Configuring Interoperability with a Microsoft Windows Server Domain Controller KDC
      • Step 1: Configure Oracle Kerberos Client for Microsoft Windows Server Domain Controller
        • Step 1A: Create the Client Kerberos Configuration Files
        • Step 1B: Specify the Oracle Configuration Parameters in the sqlnet.ora File
        • Step 1C: Optionally, Specify Additional Kerberos Principals Using tnsnames.ora
        • Step 1D: Specify the Listening Port Number
      • Step 2: Configure a Microsoft Windows Server Domain Controller KDC for the Oracle Client
        • Step 2A: Create the User Account
        • Step 2B: Create the Oracle Database Principal User Account and Keytab
      • Step 3: Configure Oracle Database for a Microsoft Windows Server Domain Controller KDC
        • Step 3A: Set Configuration Parameters in the sqlnet.ora File
        • Step 3B: Create an Externally Authenticated Oracle User
      • Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User
    • Configuring Kerberos Authentication Fallback Behavior
    • Troubleshooting the Oracle Kerberos Authentication Configuration
      • Common Kerberos Configuration Problems
      • ORA-12631 Errors in the Kerberos Configuration
      • ORA-28575 Errors in the Kerberos Configuration
      • ORA-01017 Errors in the Kerberos Configuration
      • Enabling Tracing for Kerberos okinit Operations
  • 25 Configuring PKI Certificate Authentication
    • How Oracle Database Uses Transport Layer Security for Authentication
    • Enabling Oracle Internet Directory to Use Transport Layer Security Authentication
    • Configuring User Authentication with Transport Layer Security
    • Configuring Transport Layer Security for Client Authentication and Encryption with X.509 Certificates
      • About Configuring TLS for Client Authentication and Encryption with X.509 Certificates
      • Configuring the Server for Authentication and Encryption with X.509 Certificates
        • Step 1: Create and Configure the Server Wallet for the X.509 Certificate
        • Step 2: Shut Down the Oracle Listener on the Server
        • Step 3: Configure the sqlnet.ora File on the Server
        • Step 4: For Logical Volume Management, Configure the Server listener.ora File
        • Step 5: For Grid Infrastructure, Configure the Server Listener Process
        • Step 6: Set Initialization Parameters on the Server
        • Step 7: Create an External Database User on the Server
        • Step 8: Restart and Check the Listener Process on the Server
      • Configuring the Client for Authentication and Encryption with X.509 Certificates
        • Step 1: Configure the sqlnet.ora File on the Client
        • Step 2: Configure the tnsnames.ora File on the Client
        • Step 3: Configure Microsoft Certificate Store on the Client
          • About Configuring Microsoft Certificate Store on the Client
          • Setting the TNS_ADMIN Environment Variable
          • Configuring Microsoft Certificate Store on the Client
          • Testing the Microsoft Certificate Store Configuration Using tnsping
          • Testing the Microsoft Certificate Store Configuration Using SQL*Plus
    • Configuring Email over Transport Layer Security with an Oracle Wallet
    • Troubleshooting Transport Layer Security Errors
      • Step 1: Check the TLS Connection with the tnsping Utility
      • Step 2: Check the SSL_VERSION Parameter
      • Step 3: Check the Wallet File Permissions
      • Step 4: Check the Wallet Settings in the sqlnet.ora and listener.ora Files
      • Step 5: Enable Tracing for the SQL*Net and Listener Connections
  • 26 Configuring RADIUS Authentication
    • About Configuring RADIUS Authentication
    • RADIUS Components
    • RADIUS Authentication Modes
      • Synchronous Authentication Mode
        • Sequence for Synchronous Authentication Mode
        • Example: Synchronous Authentication with Tokens
      • Challenge-Response (Asynchronous) Authentication Mode
        • Sequence for Challenge-Response (Asynchronous) Authentication Mode
        • Example: Asynchronous Authentication with Tokens
    • RADIUS Parameters
      • RADIUS Parameters for Clients and Servers
      • Minimum RADIUS Parameters
      • Initialization File Parameter for RADIUS
    • Enabling RADIUS Authentication, Authorization, and Accounting
      • Step 1: Configure RADIUS Authentication
        • Step 1A: Configure RADIUS on the Oracle Client
        • Step 1B: Configure RADIUS on the Oracle Database Server
          • Step 1B (1): Create the RADIUS Secret Key File on the Oracle Database Server
          • Step 1B (2): Configure RADIUS Parameters on the Server (sqlnet.ora file)
          • Step 1B (3): Set Oracle Database Server Initialization Parameters
        • Step 1C: Configure Additional RADIUS Features
          • Step 1C(1): Change Default Settings
          • Step 1C(2): Configure Challenge-Response Mode
          • Step 1C(3): Set Parameters for an Alternate RADIUS Server
          • Step 1C(4): Enable Access by Non-TCPS Protocols or Older Clients
      • Step 2: Create a User and Grant Access
      • Step 3: Configure External RADIUS Authorization (Optional)
        • Step 3A: Configure the Oracle Server (RADIUS Client)
        • Step 3B: Configure the Oracle Client Where Users Log In
        • Step 3C: Configure the RADIUS Server
      • Step 4: Configure RADIUS Accounting
        • Step 4A: Set RADIUS Accounting on the Oracle Database Server
        • Step 4B: Configure the RADIUS Accounting Server
      • Step 5: Add the RADIUS Client Name to the RADIUS Server Database
      • Step 6: Configure the Authentication Server for Use with RADIUS
      • Step 7: Configure the RADIUS Server for Use with the Authentication Server
      • Step 8: Configure Mapping Roles
    • Using RADIUS to Log in to a Database
    • Integrating Authentication Devices Using RADIUS
      • About the RADIUS Challenge-Response User Interface
      • Customizing the RADIUS Challenge-Response User Interface
      • Example: Using the OracleRadiusInterface Interface
  • 27 Customizing the Use of Strong Authentication
    • Connecting to a Database Using Strong Authentication
    • Disabling Strong Authentication and Native Network Encryption
    • Configuring Multiple Authentication Methods
    • Configuring Oracle Database for External Authentication
      • Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
      • Setting OS_AUTHENT_PREFIX to a Null Value
• Part VI Monitoring Database Activity with Auditing
  • 28 Introduction to Auditing
    • What Is Auditing?
    • Why Is Auditing Used?
    • Best Practices for Auditing
    • Unified Auditing and Its Benefits
    • Who Can Perform Auditing?
    • Handling the Desupport of Traditional Auditing
    • Unified Auditing in a Multitenant Environment
    • Auditing in a Distributed Database
  • 29 Provisioning Audit Policies
    • Getting Started with Auditing
    • About Audit Policies
    • Activities That Are Mandatorily Audited
    • Auditing Activities with the Predefined Unified Audit Policies
      • About Auditing Activities with the Predefined Unified Audit Policies
      • Secure Options Predefined Unified Audit Policy
      • Oracle Database Parameter Changes Predefined Unified Audit Policy
      • User Account and Privilege Management Predefined Unified Audit Policy
      • Center for Internet Security Recommendations Predefined Unified Audit Policy
      • Security Technical Implementation Guide Predefined Unified Audit Policies
        • STIG Recommendations Predefined Unified Audit Policy
        • All Top Level Actions Predefined Unified Audit Policy
        • Logon and Logout Predefined Unified Audit Policy
      • ORA_DICTIONARY Sensitive Column Queries Predefined Unified Audit Policy
      • Oracle Database Real Application Security Predefined Audit Policies
        • System Administrator Operations Predefined Unified Audit Policy
        • Session Operations Predefined Unified Audit Policy
      • Oracle Database Vault Predefined Unified Audit Policy for DVSYS and LBACSYS Schemas
      • Oracle Database Vault Predefined Unified Audit Policy for Default Realms and Command Rules
      • Oracle Label Security Predefined Unified Audit Policy for LBACSYS Objects
    • Steps to Provision Unified Audit Policies
      • Auditing Most Commonly Used Security-Relevant Activities
      • Auditing SQL Statements, Privileges, and Other Activities of Interest
      • Value-Based Fine-Grained Audit Activities
    • Common Audit Configurations Across All PDBs
    • General Audit Data Dictionary Views
  • 30 Creating Custom Unified Audit Policies
    • About Custom Unified Audit Policies
    • Best Practices for Creating Custom Unified Audit Policies
    • Syntax for Creating a Custom Unified Audit Policy
    • Auditing Standard Oracle Database Components
      • Auditing Roles
        • About Role Auditing
        • Configuring Role Unified Audit Policies
        • Example: Auditing the Predefined Common DBA Role
      • Auditing System Privileges
        • About System Privilege Auditing
        • System Privileges That Can Be Audited
        • System Privileges That Cannot Be Audited
        • Configuring a Unified Audit Policy to Capture System Privilege Use
        • Example: Auditing a User Who Has ANY Privileges
        • Example: Using a Condition to Audit a System Privilege
        • How System Privilege Unified Audit Policies Appear in the Audit Trail
      • Auditing Administrative Users
        • Administrative User Accounts That Can Be Audited
        • Configuring a Unified Audit Policy to Capture Administrator Activities
        • Example: Auditing the SYS User
      • Auditing Object Actions
        • About Auditing Object Actions
        • Object Actions That Can Be Audited
        • Guidelines for Column Level Auditing and Virtual Columns
        • Configuring an Object Action Unified Audit Policy
        • Example: Auditing Actions on SYS Objects
        • Example: Auditing Multiple Actions on One Object
        • Example: Auditing GRANT and REVOKE Operations on an Object
        • Example: Auditing Both Actions and Privileges on an Object
        • Example: Auditing an Action on a Table Column
        • Example: Auditing All Actions on a Table
        • Example: Auditing All Actions in the Database
        • Example: Deep Data Security Audit Policy
        • How Object Action Unified Audit Policies Appear in the Audit Trail
        • Auditing Functions, Procedures, Packages, and Triggers
        • Auditing of Oracle Virtual Private Database Predicates
        • Audit Policies for Oracle Virtual Private Database Policy Functions
        • Unified Auditing with Editioned Objects
      • Auditing the READ ANY TABLE and SELECT ANY TABLE Privileges
        • About Auditing the READ ANY TABLE and SELECT ANY TABLE Privileges
        • Creating a Unified Audit Policy to Capture READ Object Privilege Operations
        • How the Unified Audit Trail Captures READ ANY TABLE and SELECT ANY TABLE
      • Auditing Only Top-Level Statements
        • About Auditing Only Top-Level SQL Statements
        • Configuring a Unified Audit Policy to Capture Only Top-Level Statements
        • Example: Auditing Top-Level Statements
        • Example: Comparison of Top-Level SQL Statement Audits
        • How the Unified Audit Trail Captures Top-Level SQL Statements
    • Unified Auditing with Configurable Conditions
      • About Conditions in Unified Audit Policies
      • Configuring a Unified Audit Policy with a Condition
      • Example: Auditing Access to SQL*Plus
      • Example: Auditing Actions Not in Specific Hosts
      • Example: Auditing Both a System-Wide and a Schema-Specific Action
      • Example: Auditing a Condition Per Statement Occurrence
      • Example: Unified Audit Session ID of a Current Administrative User Session
      • Example: Unified Audit Session ID of a Current Non-Administrative User Session
      • How Audit Records from Conditions Appear in the Audit Trail
    • Auditing for Multitier or Multitenant Configurations
      • Auditing in a Multitier Deployment
      • Auditing in a Multitenant Deployment
        • About Local, CDB Common, and Application Common Audit Policies
        • Common Audit Configurations Across All PDBs
        • Unified Audit Policies in an Application Root
        • Configuring a Local Unified Audit Policy or Common Unified Audit Policy
        • Example: Local Unified Audit Policy
        • Example: CDB Common Unified Audit Policy
        • Example: Application Common Unified Audit Policy
        • How Local or Common Audit Policies or Settings Appear in the Audit Trail
    • Extending Unified Auditing to Capture Custom Attributes
      • About Auditing Application Context Values
      • Configuring Application Context Audit Settings
      • Disabling Application Context Audit Settings
      • Example: Auditing Application Context Values in a Default Database
      • Example: Auditing Application Context Values from Oracle Label Security
      • How Audited Application Contexts Appear in the Audit Trail
    • Auditing Components of Other Oracle Products and Features
      • Auditing Oracle SQL Firewall
        • About Auditing Oracle SQL Firewall
        • Example: Auditing Oracle SQL Firewall Violations
        • How Oracle SQL Firewall Events Appear in the Audit Trail
      • Auditing Oracle Database Vault Events
        • About Auditing Oracle Database Vault Events
        • Who Is Audited in Oracle Database Vault?
        • About Oracle Database Vault Unified Audit Trail Events
        • Oracle Database Vault Realm Audit Events
        • Oracle Database Vault Rule Set and Rule Audit Events
        • Oracle Database Vault Command Rule Audit Events
        • Oracle Database Vault Factor Audit Events
        • Oracle Database Vault Secure Application Role Audit Events
        • Oracle Database Vault Oracle Label Security Audit Events
        • Oracle Database Vault Oracle Data Pump Audit Events
        • Oracle Database Vault Enable and Disable Audit Events
        • Configuring a Unified Audit Policy for Oracle Database Vault
        • Example: Auditing an Oracle Database Vault Realm
        • Example: Auditing an Oracle Database Vault Rule Set
        • Example: Auditing Two Oracle Database Vault Events
        • Example: Auditing Oracle Database Vault Factors
        • How Oracle Database Vault Audited Events Appear in the Audit Trail
      • Auditing Oracle Database Real Application Security Events
        • About Auditing Oracle Database Real Application Security Events
        • Real Application Security Auditable Events
        • Real Application Security User, Privilege, and Role Audit Events
        • Real Application Security Security Class and ACL Audit Events
        • Real Application Security Session Audit Events
        • Real Application Security ALL Events
        • Configuring a Unified Audit Policy for Oracle Database Real Application Security
        • Example: Auditing Real Application Security User Account Modifications
        • Example: Using a Condition in a Real Application Security Unified Audit Policy
        • How Oracle Database Real Application Security Events Appear in the Audit Trail
      • Auditing Oracle Recovery Manager Events
        • About Auditing Oracle Recovery Manager Events
        • Oracle Recovery Manager Unified Audit Trail Events
        • How Oracle Recovery Manager Audited Events Appear in the Audit Trail
      • Auditing Oracle Label Security Events
        • About Auditing Oracle Label Security Events
        • Oracle Label Security Unified Audit Trail Events
        • Oracle Label Security Auditable User Session Labels
        • Configuring a Unified Audit Policy for Oracle Label Security
        • Example: Auditing Oracle Label Security Session Label Attributes
        • Example: Excluding a User from an Oracle Label Security Policy
        • Example: Auditing Oracle Label Security Policy Actions
        • Example: Querying for Audited OLS Session Labels
        • How Oracle Label Security Audit Events Appear in the Audit Trail
      • Auditing Oracle Data Pump Events
        • About Auditing Oracle Data Pump Events
        • Oracle Data Pump Unified Audit Trail Events
        • Configuring a Unified Audit Policy for Oracle Data Pump
        • Example: Auditing Oracle Data Pump Import Operations
        • Example: Auditing All Oracle Data Pump Operations
        • How Oracle Data Pump Audit Events Appear in the Audit Trail
      • Auditing Oracle SQL*Loader Direct Load Path Events
        • About Auditing in Oracle SQL*Loader Direct Path Load Events
        • Oracle SQL*Loader Direct Load Path Unified Audit Trail Events
        • Configuring a Unified Audit Trail Policy for Oracle SQL*Loader Direct Path Events
        • Example: Auditing Oracle SQL*Loader Direct Path Load Operations
        • How SQL*Loader Direct Path Load Audited Events Appear in the Audit Trail
      • Auditing Oracle XML DB HTTP and FTP Protocols
        • About Auditing Oracle XML DB HTTP and FTP Protocols
        • Configuring a Unified Audit Policy to Capture Oracle XML DB HTTP and FTP Protocols
        • Example: Auditing Failed Oracle XML DB HTTP Messages
        • Example: Auditing All Oracle XML DB FTP Messages
        • Example: Auditing Oracle XML DB HTTP Messages That Have 401 AUTH Errors
        • How the Unified Audit Trail Captures Oracle XML DB HTTP and FTP Protocol Messages
      • Auditing Oracle Machine Learning for SQL Events
        • About Auditing Oracle Machine Learning for SQL Events
        • Oracle Machine Learning for SQL Unified Audit Trail Events
        • Configuring a Unified Audit Policy for Oracle Machine Learning for SQL
        • Example: Auditing Multiple Oracle Machine Learning for SQL Operations by a User
        • Example: Auditing All Failed Oracle Machine Learning for SQL Operations by a User
        • How Oracle Machine Learning for SQL Events Appear in the Audit Trail
    • Managing Unified Audit Policies
      • Altering Unified Audit Policies
        • About Altering Unified Audit Policies
        • Altering a Unified Audit Policy
        • Example: Altering a Condition in a Unified Audit Policy
        • Example: Altering an Oracle Label Security Component in a Unified Audit Policy
        • Example: Altering Roles in a Unified Audit Policy
        • Example: Dropping a Condition from a Unified Audit Policy
        • Example: Altering an Existing Unified Audit Policy Top-Level Statement Audits
      • Enabling and Applying Unified Audit Policies to Users and Roles
        • About Enabling Unified Audit Policies
        • Enabling a Unified Audit Policy
        • Example: Enabling a Unified Audit Policy
      • Disabling Unified Audit Policies
        • About Disabling Unified Audit Policies
        • Disabling a Unified Audit Policy
        • Example: Disabling a Unified Audit Policy
      • Dropping Unified Audit Policies
        • About Dropping Unified Audit Policies
        • Dropping a Unified Audit Policy
        • Example: Disabling and Dropping a Unified Audit Policy
    • Tutorial: Auditing Nondatabase Users
      • Step 1: Create the User Accounts and Ensure the User OE Is Active
      • Step 2: Create the Unified Audit Policy
      • Step 3: Test the Policy
      • Step 4: Remove the Components of This Tutorial
    • Unified Audit Policy Data Dictionary Views
  • 31 Value-Based Auditing with Fine-Grained Audit Policies
    • Overview of Fine-Grained Auditing
      • About Fine-Grained Auditing
      • Where Are Fine-Grained Audit Records Stored?
      • Who Can Perform Fine-Grained Auditing?
      • Fine-Grained Auditing on Tables or Views That Have Oracle VPD Policies
      • Fine-Grained Auditing in a Multitenant Environment
      • Fine-Grained Audit Policies with Editions
    • Creating Fine-Grained Audit Policies
      • About Creating a Fine-Grained Audit Policy
      • Syntax for Creating a Fine-Grained Audit Policy
      • Example: Using DBMS_FGA.ADD_POLICY to Create a Fine-Grained Audit Policy
      • Audits of Specific Columns and Rows
    • Managing Fine-Grained Audit Policies
      • Enabling a Fine-Grained Audit Policy
      • Disabling a Fine-Grained Audit Policy
      • Dropping a Fine-Grained Audit Policy
    • Tutorial: Adding an Email Alert to a Fine-Grained Audit Policy
      • About This Tutorial
      • Step 1: Install and Configure the UTL_MAIL PL/SQL Package
      • Step 2: Create User Accounts
      • Step 3: Configure an Access Control List File for Network Services
      • Step 4: Create the Email Security Alert PL/SQL Procedure
      • Step 5: Create and Test the Fine-Grained Audit Policy Settings
      • Step 6: Test the Alert
      • Step 7: Remove the Components of This Tutorial
    • Fine-Grained Audit Policy Data Dictionary Views
  • 32 Administering the Audit Trail
    • Managing the Unified Audit Trail
      • How and Where Unified Audit Records Are Created
      • Sizing Recommendations for Unified Auditing
      • Managing Potential Sensitive Data Visibility in the Audit Trail
      • How Audit Trail Records Are Written to the AUDSYS Schema
      • Writing the Unified Audit Trail Records to SYSLOG or the Windows Event Viewer
        • About Writing the Unified Audit Trail Records to SYSLOG or the Windows Event Viewer
        • Enabling SYSLOG and Windows Event Viewer Captures for the Unified Audit Trail
        • Configuring Auditing in Automatic Storage Management Instances
      • How Unified Audit Records are Written to the Operating System
      • Moving Operating System Audit Records into the Unified Audit Trail
      • Improving the Performance of Queries and Purge Operations
      • Using Oracle Data Pump to Export and Import Unified Audit Trail Records
      • How Do Cursors Affect Auditing?
    • Archiving the Audit Trail
      • Archiving the Traditional Operating System Audit Trail
      • Archiving the Unified and Traditional Database Audit Trails
    • Purging Audit Trail Records
      • About Purging Audit Trail Records
      • Selecting an Audit Trail Purge Method
        • Purging the Audit Trail on a Regularly Scheduled Basis
        • Purging the Audit Trail on Demand
      • Scheduling an Automatic Purge Job for the Audit Trail
        • About Scheduling an Automatic Purge Job
        • Step 1: Ensure Online and Archive redo Log Sizes Are Tuned Appropriately
        • Step 2: Optionally, Set an Archive Timestamp for Audit Records
        • Step 3: Create and Schedule the Purge Job
      • Manually Purging the Audit Trail
        • About Manually Purging the Audit Trail
        • Using DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL to Manually Purge the Audit Trail
      • Other Audit Trail Purge Operations
        • Enabling or Disabling an Audit Trail Purge Job
        • Setting the Default Audit Trail Purge Job Interval for a Specified Purge Job
        • Deleting an Audit Trail Purge Job
        • Clearing the Archive Timestamp Setting
      • Example: Directly Calling a Unified Audit Trail Purge Operation
      • Purge CLI Records in Databases Upgraded from Oracle Database 12.1 or Earlier
    • Audit Trail Management Data Dictionary Views
• Appendixes
  • A Keeping Your Oracle AI Database Secure
    • About the Oracle AI Database Security Guidelines
    • Downloading Security Patches and Contacting Oracle Regarding Vulnerabilities
      • Downloading Security Patches and Workaround Solutions
      • Contacting Oracle Security Regarding Vulnerabilities in Oracle Database
    • Guidelines for Securing User Accounts and Privileges
    • Guidelines for Securing Passwords
    • Securing Authentication for Oracle Database Microsoft Windows Installations
    • Guidelines for Securing Roles
    • Guidelines for Securing Data
    • Guidelines for Securing the ORACLE_LOADER Access Driver
    • Guidelines for Securing a Database Installation and Configuration
    • Guideline for Securing Multitenant PDBs from the Root in a Linux Environment
    • Guidelines for Securing the Network
      • Client Connection Security
      • Network Connection Security
      • Transport Layer Security Connection Security
    • Guideline for Securing External Procedures
    • Guidelines for Auditing
      • Manageability of Audited Information
      • Audits of Typical Database Activity
      • Audits of Suspicious Database Activity
      • Audits of Sensitive Data
      • Recommended Audit Settings
      • Best Practices for Querying the UNIFIED_AUDIT_TRAIL Data Dictionary View
    • Addressing the CONNECT Role Change
      • Why Was the CONNECT Role Changed?
      • How the CONNNECT Role Change Affects Applications
        • How the CONNECT Role Change Affects Database Upgrades
        • How the CONNECT Role Change Affects Account Provisioning
        • How the CONNECT Role Change Affects Applications Using New Databases
      • How the CONNECT Role Change Affects Users
        • How the CONNECT Role Change Affects General Users
        • How the CONNECT Role Change Affects Application Developers
        • How the CONNECT Role Change Affects Client Server Applications
      • Approaches to Addressing the CONNECT Role Change
        • Creating a New Database Role
        • Restoring the CONNECT Privilege
        • Data Dictionary View to Show CONNECT Grantees
        • Least Privilege Analysis Studies
  • B Managing Oracle AI Database Wallets and Certificates
    • Introduction to Oracle Database Wallets and Certificates
      • About Oracle Database Wallets
      • About Oracle Database Certificates
      • About Certificate Authority (CA)
      • Tools Used to Manage Oracle AI Database Wallets and Certificates
      • General Process of Managing Oracle Database Wallets and Certificates
      • Oracle Database Wallet Search Order
    • Managing Oracle Database Wallets and Certificates with the orapki Utility
      • About Managing Oracle Database Wallets and Certificates with the orapki Utility
      • orapki Utility Syntax
    • Managing Oracle Database Wallets
      • Creating a PKCS#12 Wallet
      • Importing a PKCS#12 Wallet
      • Creating an Auto-Login-Only Wallet
      • Creating a Local Auto-Login Wallet
      • Creating an Auto-Login Wallet That Is Associated with a PKCS#12 Wallet
      • Viewing a Wallet
      • Modifying the Password for a Wallet
      • Converting an Oracle Wallet to Use the AES256 Algorithm
      • Deleting a Wallet
    • Managing Oracle Database Certificates
      • Certificate Store Location for System Wallets
      • Adding a Certificate Request to an Oracle Wallet
      • Creating Signed Certificates
      • Creating a Signed Certificate Using a Self-Signed Root
      • Adding a Trusted Certificate to an Oracle Wallet
      • Adding a Root Certificate to an Oracle Wallet
      • Adding Root Certificate Authority That Requires an Intermediate Certificate Using Microsoft Internet Explorer
      • Adding a User Certificate to an Oracle Wallet
      • Verifying Credentials on the Hardware Device That Uses a PKCS#11 Wallet
      • Adding PKCS#11 Information to an Oracle Wallet
      • Viewing a Certificate
      • Controlling MD5 and SHA-1 Certificate Use
      • Certificate Import and Export Operations
        • Importing a User-Supplied or Trusted Certificate into an Oracle Wallet
        • Exporting Certificates and Certificate Requests from an Oracle Wallet
      • Management of Certificate Revocation Lists (CRLs) with orapki Utility
    • Examples of Creating Wallets and Certificates Using orapki
      • Example: Wallet with a Self-Signed Certificate and Export of the Certificate
      • Example: Creating a Wallet and a User Certificate
    • orapki Utility Commands Summary
      • orapki cert create
      • orapki cert display
      • orapki crl delete
      • orapki crl display
      • orapki crl hash
      • orapki crl list
      • orapki crl upload
      • orapki secretstore create_credential
      • orapki secretstore create_entry
      • orapki secretstore create_user_credential
      • orapki secretstore delete_credential
      • orapki secretstore delete_entry
      • orapki secretstore delete_user_credential
      • orapki secretstore list_credentials
      • orapki secretstore list_entries
      • orapki secretstore list_entries_unsorted
      • orapki secretstore modify_credential
      • orapki secretstore modify_entry
      • orapki secretstore modify_user_credential
      • orapki secretstore view_entry
      • orapki wallet add
      • orapki wallet change_pwd
      • orapki wallet convert
      • orapki wallet create
      • orapki wallet delete
      • orapki wallet display
      • orapki wallet export
      • orapki wallet export_private_key
      • orapki wallet import_pkcs12
      • orapki wallet import_private_key
      • orapki wallet jks_to_pkcs12
      • orapki wallet pkcs12_to_jks
      • orapki wallet remove
    • mkstore Utility Commands Summary
      • mkstore create
      • mkstore createALO
      • mkstore createCredential
      • mkstore createEntry
      • mkstore createUserCredential
      • mkstore delete
      • mkstore deleteCredential
      • mkstore deleteEntry
      • mkstore deleteSSO
      • mkstore deleteUserCredential
      • mkstore list
      • mkstore listCredential
      • mkstore modifyCredential
      • mkstore modifyEntry
      • mkstore modifyUserCredential
      • mkstore viewEntry
  • C Oracle AI Database FIPS 140-2 and 140-3 Settings
    • About the Oracle AI Database FIPS 140-2 Settings
      • Ensuring Encryption Algorithms are FIPS 140-3 Compliant
    • Configuration of FIPS 140-2 Using the Consolidated FIPS_140 Parameter
      • About Configuration of FIPS 140-2 Using the FIPS_140 Parameter
      • Configuring the FIPS_140 Parameter
      • Running orapki in FIPS Mode
      • Configuring Standalone Java FIPS for Running Java Client Applications in FIPS Mode
      • Enabling FIPS by Running the enable_fips.py Python Script
      • FIPS-Supported Algorithms for Transparent Data Encryption
      • FIPS-Supported Cipher Suites for DBMS_CRYPTO
      • FIPS-Supported Cipher Suites for Transport Layer Security
      • FIPS-Supported Algorithms for Network Native Encryption
    • Legacy FIPS 140-2 Configurations
      • About Legacy FIPS 140-2 Configurations
      • Configuring FIPS 140-2 for Transparent Data Encryption and DBMS_CRYPTO
      • Configuring FIPS 140-2 for Transport Layer Security
      • Configuring FIPS 140-2 for Native Network Encryption
    • Postinstallation Checks for FIPS 140-2
    • Verifying FIPS 140-2 Connections
      • Verifying FIPS 140-2 Connections When Using the FIPS_140 Parameter
      • Verifying FIPS 140-2 Connections for Transport Layer Security
      • Verifying FIPS 140-2 Connections for Network Native Encryption
      • Verifying FIPS 140-2 Connections for Transparent Data Encryption and DBMS_CRYPTO
    • Managing Deprecated Weaker Algorithm Keys
  • D Considerations for Transitioning from Traditional to Unified Auditing
• Glossary
• Index