29 Configuring Data Privacy
This chapter includes the following sections:
29.1 Introduction to Table Space Encryption
Oracle Database Transparent Data Encryption (TDE), a component of Oracle Enterprise User Security, transparently encrypts data when it is written to disk and decrypts it when it is read back to the authorized user. TDE helps protect data stored on media if the storage media or data file gets stolen Applications don't have to be modified, and the data encryption on the storage media is transparent to users.
Oracle Database 11g Advanced Security Transparent Data Encryption introduced support for encryption of database table spaces. All objects created in an encrypted tablespace are automatically encrypted. All data in an encrypted tablespace is stored in encrypted format on the disk. Data blocks are transparently decrypted as they are accessed by the Oracle Database. Table space encryption eliminates the foreign key restriction of column encryption and enables index range scans on encrypted data.
29.2 Enabling and Disabling Table Space Encryption
You can enable or disable table space encryption on Oracle Database used by Oracle Internet Directory.
Refer to the following topics:
29.2.1 Configuring First-time Settings for Table Space Encryption
If you are trying to configure settings for table space encryption for the first time, follow the procedure as given here.,
If you are enabling table space encryption for the first time:
-
Make a cold backup of the Oracle Databases that are used by the Oracle Internet Directory instances.
-
Make sure you have the JavaVM and XML developer's Kit packages installed in the database Oracle home.
To verify whether the specified packages are installed, execute the following SQL*Plus:
SELECT comp_id, status FROM dba_registry;
Execute the following PL/SQL procedure:
sys.dbms_metadata_util.load_stylesheets
-
Log in to SQL*Plus as a user who has the
SYSTEM
privilege and execute the following command:GRANT CREATE ANY DIRECTORY TO ods;
-
Create the directory object, log directory object used for dumpfiles, and logfiles of the Oracle DataPump utility. Log in to SQL*Plus as the
ODS
user and execute the following commands:CREATE OR REPLACE DIRECTORY directory_object_name as directory_path; CREATE OR REPLACE DIRECTORY log_directory_object_name as log_directory_path;
-
Create directory_path and log_directory_path in the file system.
-
Set the database wallet location in the
sqlnet.ora
of the database Oracle home.Note:
Do not confuse the database wallet with the Oracle Internet Directory wallet described in Configuring Secure Sockets Layer (SSL).
Oracle recommends that you use a separate wallet exclusively for table space encryption.
-
To use a separate database wallet for table space encryption, set the parameter ENCRYPTION_WALLET_LOCATION in
sqlnet.ora
. For example:ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/install/db11g/dbs)))
-
To use the same database wallet shared by all Oracle components, set the parameter
WALLET_LOCATION
insqlnet.ora
. For example:WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/install/db11g/dbs)))
-
29.3 Introduction to Using Database Vault With Oracle Internet Directory
Oracle Internet Directory enforces access control in the LDAP protocol layer. However, a privileged user such as DBA
can normally access the Oracle Internet Directory data in the underlying database by using SQL*Plus.
You can use Oracle Database Vault to prevent unauthorized access to Oracle Internet Directory data by a privileged user. To do so, you must install and enable Oracle Database Vault, set up a Database Vault realm containing the ODS
database schema used by Oracle Internet Directory, and set up a policy to allow only the ODS
database account to access the data.
See Also:
-
Oracle Database 2 Day + Security Guide for a quick guide to installing, enabling, and disabling Oracle Database Vault
-
Oracle Database Vault Administrator's Guide for detailed information about administering Oracle Database Vault
29.4 Configuring Oracle Database Vault to Protect Oracle Internet Directory Data
You must install and register Oracle Database Vault before you configure it for Oracle Internet Directory. You install Database Vault as part of the Oracle Database installation.
The following sections explain this further:
-
Registering Oracle Database Vault with Oracle Internet Directory for First Time
-
Knowing Whether Oracle Database Vault is Registered with Oracle Database
-
Installing Bug Patches for Existing Oracle Database Vault Registration
-
Enabling SQL*Plus Access to the Oracle Internet Directory Database
-
Blocking SQL*Plus Access to the Oracle Internet Directory Database
-
Deleting Database Vault Policies For Oracle Internet Directory
-
Disabling Oracle Database Vault for the Oracle Internet Directory Database
29.4.1 Registering Oracle Database Vault with Oracle Internet Directory for First Time
If Oracle Database Vault is not registered with your Oracle Database 11g, proceed as follows:
- Install Oracle Internet Directory as described in Verifying OID Installationin Installing and Configuring Oracle Internet Directory.
- Register Oracle Database Vault as described in Registering Oracle Database Vault with an Oracle Database in Oracle Database Vault Administrator's Guide.
- If the Oracle Database version is 11.1.0.7, download and install the patch for Bug 7244497. This is not necessary for later versions of Oracle Database.
- If the Oracle Database version is 11.1.0.7, download and install the patch for Bug 7291157. This is not necessary for later versions of Oracle Database.
29.4.2 Knowing Whether Oracle Database Vault is Registered with Oracle Database
Using SQL command, you can find out if the Oracle database vault is registered with Oracle database.
If you do not know whether Oracle Database Vault was registered with your Oracle Database 11g, type:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
at a SQL*Plus prompt. If the query returns Oracle Database Vault
, then Oracle Database Vault has been installed and registered. Note that the query is case-sensitive.
29.4.3 Installing Bug Patches for Existing Oracle Database Vault Registration
To know how to install bug patches for existing Oracle database vault registration, follow the instructions given here.
If Oracle Database Vault was registered with your Oracle Database, proceed as follows:
- Disable Oracle Database Vault, if it is enabled. See the appendix titled "Disabling and Enabling Oracle Database Vault" in Oracle Database Vault Administrator's Guide.
- Install Oracle Internet Directory as described in Verifying Oracle Internet Directory Installation in Installing and Configuring Oracle Internet Directory.
- Enable Database Vault as described in theEnabling Oracle Database Vault in Oracle Database Vault Administrator's Guide.
- Download and install the patch for Bug 7244497 if you are using Oracle Database 11.1.0.7.
- Download and install the patch for Bug 7291157 if you are using Oracle Database 11.1.0.7.
29.4.4 Adding Database Vault Realm to Apply Policies
Oracle Internet Directory provides scripts to apply the required Database Vault policies. These scripts are located in the Oracle Internet Directory installation under $ORACLE_HOME/ldap/datasecurity
.
To apply the Database Vault policies to the Oracle Internet Directory database, you must create the default Database Vault realm for Oracle Internet Directory, as follows:
29.4.5 Enabling SQL*Plus Access to the Oracle Internet Directory Database
The policies in dbv_create_oid_policies.sql
completely disable SQL*Plus access to the Oracle Internet Directory database.
For some tasks, you might require SQL*Plus access to the database by the ODS
user. If so, enable SQL*Plus access to the Oracle Internet Directory Database from a specific host or hosts only.
To enable connectivity to the Oracle Internet Directory Database, follow these steps:
- Open
dbv_oid_rule_sqlplus.sql
in a text editor. Replace the dummy IP address inCheck ods connections 3
rule with the IP addresses of the hosts from which to allow SQL*Plus access to Oracle Internet Directory Database. - Connect to the database as the Database Vault owner and execute
dbv_oid_rule_sqlplus.sql
.
29.4.6 Blocking SQL*Plus Access to the Oracle Internet Directory Database
You can block SQL*Plus access to Oracle internet directory database by following the command given here.
If you want to block SQL*Plus access completely to the Oracle Internet Directory database at some point, connect to the Database as the Database Vault owner and execute dbv_oid_delete_rule_sqlplus.sql
.
29.4.7 Database Vault Rules Defined for Oracle Internet Directory
The Database Vault rules defined for Oracle Internet Directory are Check ods connections
, Check ods connections 2
, Check odssm connections
, and Allow other connections
.
The Configuring Command Rules in Oracle Database Vault Administrator's Guide explains how to use data dictionary views. This section describes some views that report Oracle Internet Directory-related information.
The name of the Database Vault realm that Oracle Internet Directory uses is OID Realm
. You can verify that the realm exists by querying the DBA_DV_REALM
data dictionary view.
The Database Vault rules defined for Oracle Internet Directory are Check ods connections
, Check ods connections 2
, Check odssm connections
, and Allow other connections
. If you ran dbv_oid_rule_sqlplus.sql
, the rule Check ods connection 3
is also defined. These rules are added to a rule set named OID App Access
. To check the names of the existing rules, query the DBA_DV_RULE_SET_RULE
view.
A CONNECT
command rule is firing this rule set. You can verify this by querying the DBA_DV_COMMAND_RULE
view. This CONNECT
rule does not overwrite existing CONNECT
command rules when you run the Oracle Internet Directory scripts on an existing Oracle Database Vault installation.
29.4.8 Deleting Database Vault Policies For Oracle Internet Directory
You can delete database vault policies for Oracle Internet Directory by using the following command:
To remove the Database Vault policies for OID installed in the prior section, execute dbv_delete_oid_policies.sql
while connected to the database as the Database Vault Owner.
29.4.9 Disabling Oracle Database Vault for the Oracle Internet Directory Database
You can disable Oracle database vault for Oracle Internet Directory database.
See Disabling and Enabling Oracle Database Vault in Oracle Database Vault Administrator's Guide.
29.5 Best Practices for Using Database Vault with Oracle Internet Directory
The following administrative tasks require special attention when Oracle Database Vault is in use:
-
Upgrading Products and Installing Patchsets–disable Oracle Database Vault before performing Oracle Internet Directory or Oracle Database upgrades or patchset installations. Enable Oracle Database Vault again after the upgrade or installation is complete.
-
Bulk Loading Data–when Oracle Database Vault is enabled, the SQL*Loader direct path mode is unavailable, which reduces the performance of the
bulkload
tool. Disable Oracle Database Vault before usingbulkload
to load more than 100KB of data or more than one million entries. Enable Oracle Database Vault again after the operation is complete.
29.6 Introduction to Sensitive Attributes
Oracle Internet Directory stores sensitive attributes in an encrypted format.
Examples of sensitive attributes are: orclpasswordattribute
, orclrevpwd
, the plug-in attribute orclpluginsecuredflexfield
and the server chaining attribute orclOIDSCExtPassword
.
The following sections explain sensitive attributes further:
29.6.1 List of Sensitive Attributes
The list of sensitive attributes is stored in the attribute orclencryptedattributes
in the DSA configuration entry.
The list is shown in Table 29-1.
Table 29-1 Sensitive Attributes Stored in orclencryptedattributes
Sensitive Attribute | Attribute Usage |
---|---|
|
Sensitive attributes passed to a plug-in. See Table 46-1. |
|
Server admin password for plug-in connection. See Table 46-1. |
|
Plug-in sslwallet password. See Configuring Directory Server Chaining |
|
User password in reversible encrypted format. See Managing Password Verifiers. |
|
Encrypted reversible password NOT synchronized with the related userpassword. See Managing Password Verifiers. |
|
Oracle Directory Integration Platform: Information used to connect to an application for event propagation. |
|
Oracle Directory Integration Platform: Used by third-party directory to connect to directory. |
|
Oracle Directory Integration Platform: Password that the synchronization profile uses to bind to the directory. |
For information about the last three entries, see LDAP Attribute Reference chapter in Reference for Oracle Identity Management.
The orcldataprivacymode
attribute controls whether these attributes are encrypted when the data is received. When orcldataprivacymode
is enabled, the sensitive attributes are encrypted.When privacy mode is disabled, the sensitive data is returned in the clear.
If you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.
Note:
The attributes in Table 29-1 are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.
29.6.2 Encryption Algorithm for Sensitive Attributes
Prior to 11g Release 1 (11.1.1.4.0), Oracle Internet Directory used the 3DES encryption algorithm for the storage of sensitive attributes. As of 11g Release 1 (11.1.1.4.0), Oracle Internet Directory uses AES-256.
Customers who have patched their systems from an earlier release might already have stored values encrypted with the 3DES algorithm. In such cases, the following rules apply:
-
At decryption time, Oracle Internet Directory uses the appropriate algorithm (3DES or AES-256) to decrypt the value.
-
At encryption time, Oracle Internet Directory always encrypts using AES-256.
This ensures that, over time, all encrypted values are converted to AES-256.
29.7 Enabling Privacy Mode of Sensitive Attributes
Privacy mode is disabled by default. That is, the value of orcldataprivacymode
is 0
.
To provide security protection, you must enable privacy mode by changing the value of orcldataprivacymode
from 0
to 1
in the DSA configuration entry
To enable privacy mode, use an LDIF file containing the following entries:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify replace: orcldataprivacymode orcldataprivacymode: 1
Load the LDIF file with a command line similar to this:
$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -v \ -f LDIF_file_name
29.8 Knowing Privacy Mode Status of Sensitive Attributes
To determine the value of orcldataprivacymode
, perform the following search:
$ORACLE_HOME/bin/ldapsearch -h host -p port -D cn=orcladmin -q \
-b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base \
"objectclass=*" orcldataprivacymode
29.9 Introduction to Hashed Attributes
Unlike encryption, hashing is a one-way operation. It is not possible to derive the original value from the hashed value.
Oracle Internet Directory supports hashed attributes in addition to sensitive attributes. The list of hashed attributes is contained in orclhashedattributes
, a multivalued attribute of the DSA configuration entry. Hashing is performed using the cryptographic scheme set in the root DSE attribute orclcryptoscheme
.
LDAP operations and bulkload
automatically perform the transformations described in Table 29-2. You cannot use the bulkmodify
command with hashed attributes.
Table 29-2 LDAP and Bulk Operations on Attributes in orclhashedattributes
Operation | When incoming attribute value is already hashed | When incoming attribute value is not yet hashed |
---|---|---|
|
Use value as it is. |
Hash incoming value by using |
|
Use value as it is. |
For an add or replace operation, hash incoming value by using For a delete operation, hash the incoming value using the crypto scheme that was in use at the time the attribute was stored in the directory before performing operation. |
|
Compare incoming value with value stored in directory. |
Hash the incoming value by using the crypto scheme that was in use at the time the attribute was stored in the directory and then compare it with the stored value. |
|
Use value as it is. |
Hash incoming value by using |
|
Do not allow |
Do not allow |
Note:
-
Never include the same attribute in both
orclhashedattributes
andorclencryptedattributes
. -
Only single-valued attributes can be hashed attributes.
29.10 Configuring Hashed Attributes
You can manage the list of attributes in orclhashedattributes
by using Oracle Enterprise Manager
Fusion Middleware Control or the command line.
The following sections explain this configuration further:
29.10.1 Configuring Hashed Attributes by Using Fusion Middleware Control
You can configure hashed attributes by using the Shared Properties page in Oracle Enterprise Manager Fusion Middleware Control.
Select Administration, then Shared Properties from the Oracle Internet Directory menu.
29.10.2 Configuring Hashed Attributes by Using ldapmodify
To configure hashed attributes by using the command line, add the attribute names to the DSA configuration entry's multivalued attribute orclhashedattribute
.
For example, the following LDIF file adds three attributes to orclhashedattributes
.
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype:modify add: orclhashedattributes orclhashedattributes: attributeName1 orclhashedattributes: attributeName2 orclhashedattributes: attributeName3
Load the LDIF file with a command line similar to this:
$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -v \ -f LDIF_file_name