The SPARC S7 processor in MiniCluster facilitates hardware-assisted, high-performance encryption for the data protection needs of security-sensitive IT environments. The SPARC M7 processor also features Silicon Secured Memory technology that ensures the prevention of malicious application-level attacks such as memory scraping, silent memory corruption, buffer overruns, and related attacks.
The SPARC processor enables hardware-assisted cryptographic acceleration support for over 16 industry-standard cryptographic algorithms. Together, these algorithms support most modern cryptographic needs, including public-key encryption, symmetric-key encryption, random number generation, and the calculation and verification of digital signatures and message digests. In addition, at the operating system level, cryptographic hardware acceleration is enabled by default for most core services including Secure Shell, IPSec/IKE, and encrypted ZFS data sets.
Oracle Database and Oracle Fusion Middleware automatically identify the Oracle Solaris OS and the SPARC processor used by MiniCluster. This identification enables the database and middleware to automatically use the hardware cryptographic acceleration capabilities of the platform for TLS, WS-Security, or tablespace encryption operations. The identification also allows the use the Silicon Secured Memory feature to ensure memory protection, and ensure application data integrity without the need for end-user configuration. MiniCluster supports the use of IPSec (IP Security) and IKE (Internet Key Exchange) is recommended to protect the confidentiality and integrity of VM-specific and inter-VM communications flowing over the public and private network.
On MiniCluster, ZFS data set encryption leverages a centralized Oracle Solaris PKCS#11 keystore to securely protect the wrapping keys. Using the Oracle Solaris PKCS#11 keystore automatically engages the SPARC hardware-assisted cryptographic acceleration for all encryption operations. This allows Oracle to significantly improve the performance of the encryption and decryption operations associated with encryption of ZFS data sets, Oracle Database Transparent Data Encryption (TDE), tablespace encryption, encrypted database backups (using Oracle Recovery Manager [Oracle RMAN]), encrypted database exports (using the Data Pump feature of Oracle Database), and redo logs (using Oracle Active Data Guard). Database VMs can use a shared-wallet approach by leveraging the Oracle Solaris PKCS#11 keystore or to create a directory on the ACFS share storage so that the wallet can be shared across the databases residing on VMs. Using a shared, centralized keystore at each compute node enables the system to better manage, maintain, and rotate the keys of Oracle TDE in Oracle Grid infrastructure based clustered database architectures, because the keys are synchronized across each of the nodes in the cluster. MiniCluster also features secure deletion of VMs and associated ZFS data sets by having the encryption policy and key management at that ZFS data set (file system / ZVOL) level to provide assured delete through key destruction.