28 Configuring Data Privacy

This chapter describes data privacy and explains how Oracle Internet Directory protects data after it is received (since data is protected by SSL during transmission). Specifically, it covers enabling and disabling table space encryption using Oracle Database Transparent Data Encryption (TDE), configuring Oracle Database Vault to protect Oracle Internet Directory data, and configuring sensitive and hashed attributes.

This chapter includes the following sections:

28.1 Introduction to Table Space Encryption

Oracle Database Transparent Data Encryption (TDE), a component of Oracle Enterprise User Security, transparently encrypts data when it is written to disk and decrypts it when it is read back to the authorized user. TDE helps protect data stored on media if the storage media or data file gets stolen Applications don't have to be modified, and the data encryption on the storage media is transparent to users.

Oracle Database 11g Advanced Security Transparent Data Encryption introduced support for encryption of database table spaces. All objects created in an encrypted tablespace are automatically encrypted. All data in an encrypted tablespace is stored in encrypted format on the disk. Data blocks are transparently decrypted as they are accessed by the Oracle Database. Table space encryption eliminates the foreign key restriction of column encryption and enables index range scans on encrypted data.

28.2 Enabling and Disabling Table Space Encryption

To enable or disable table space encryption on Oracle Databases used by Oracle Internet Directory, follow these steps:

Note:

If you have previously enabled and disabled table space encryption, and you are enabling it again, skip to Step 7.
  1. Make a cold backup of the Oracle Databases that are used by the Oracle Internet Directory instances.

  2. Make sure you have the JavaVM and XML developer's Kit packages installed in the database Oracle home.

    To verify whether the specified packages are installed, execute the following SQL*Plus:

    SELECT comp_id, status FROM dba_registry;
    

    Execute the following PL/SQL procedure:

    sys.dbms_metadata_util.load_stylesheets
     
    
  3. Log in to SQL*Plus as a user who has the SYSTEM privilege and execute the following command:

    GRANT CREATE ANY DIRECTORY TO ods; 
    
  4. Create the directory object, log directory object used for dumpfiles, and logfiles of the Oracle DataPump utility. Log in to SQL*Plus as the ODS user and execute the following commands:

    CREATE OR REPLACE DIRECTORY directory_object_name as directory_path;
    CREATE OR REPLACE DIRECTORY log_directory_object_name as log_directory_path; 
    
  5. Create directory_path and log_directory_path in the file system.

  6. Set the database wallet location in the sqlnet.ora of the database Oracle home.

    Note:

    Do not confuse the database wallet with the Oracle Internet Directory wallet described in Chapter 27.

    Oracle recommends that you use a separate wallet exclusively for table space encryption.

    1. To use a separate database wallet for table space encryption, set the parameter ENCRYPTION_WALLET_LOCATION in sqlnet.ora. For example:

      ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/install/db11g/dbs)))
      
    2. To use the same database wallet shared by all Oracle components, set the parameter WALLET_LOCATION in sqlnet.ora. For example:

      WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/install/db11g/dbs))) 
      
  7. Shut down all the Oracle Internet Directory instances that are using the Oracle Database Oracle home.

  8. If you are enabling table space encryption for the first time in the Oracle Database Oracle home, log in to SQL*Plus as a user who has the ALTER SYSTEM privilege and execute the following command:

    ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY yourwalletpassword;
    
  9. Whenever the Oracle Database is shut down and restarted, log in to SQL*Plus as a user who has the ALTER SYSTEM privilege and execute the following command:

    ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY yourwalletpassword;
    

    Be sure to execute the command before starting Oracle Internet Directory and before running the Perl script shown in Step 12.

  10. Set the environment variable ORACLE_HOME to the Oracle Database home.

  11. Set the environment variable NLS_LANG to the character set of the Oracle Database server.

  12. Edit the path of the perl5 executable in the Perl script ORACLE_HOME/ldap/datasecurity/oidtbltde.pl so that it matches the location of perl5 on your computer.

  13. If you have not already done so, install the database independent interface module for Perl (DBI) and the Oracle DBD driver for Perl.

  14. Run the Perl script oidtbltde.pl to enable or disable TDE for Oracle Internet Directory

28.3 Introduction to Using Database Vault With Oracle Internet Directory

Oracle Internet Directory enforces access control in the LDAP protocol layer. However, a privileged user such as DBA can normally access the Oracle Internet Directory data in the underlying database by using SQL*Plus.

You can use Oracle Database Vault to prevent unauthorized access to Oracle Internet Directory data by a privileged user. To do so, you must install and enable Oracle Database Vault, set up a Database Vault realm containing the ODS database schema used by Oracle Internet Directory, and set up a policy to allow only the ODS database account to access the data.

See Also:

  • Oracle Database 2 Day + Security Guide for a quick guide to installing, enabling, and disabling Oracle Database Vault

  • Oracle Database Vault Administrator's Guide for detailed information about administering Oracle Database Vault

28.4 Configuring Oracle Database Vault to Protect Oracle Internet Directory Data

You must install and register Oracle Database Vault before you configure it for Oracle Internet Directory. You install Database Vault as part of the Oracle Database installation.

28.4.1 Registering Oracle Database Vault

If you do not know whether Oracle Database Vault was registered with your Oracle Database 11g, type:

SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

at a SQL*Plus prompt. If the query returns Oracle Database Vault, then Oracle Database Vault has been installed and registered. Note that the query is case-sensitive.

If Oracle Database Vault is not registered with your Oracle Database 11g, proceed as follows:

  1. Install Oracle Internet Directory as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  2. Register Oracle Database Vault as described in Oracle Database Vault Administrator's Guide.

  3. If the Oracle Database version is 11.1.0.7, download and install the patch for Bug 7244497. This is not necessary for later versions of Oracle Database.

  4. If the Oracle Database version is 11.1.0.7, download and install the patch for Bug 7291157. This is not necessary for later versions of Oracle Database.

If Oracle Database Vault was registered with your Oracle Database, proceed as follows:

  1. Disable Oracle Database Vault, if it is enabled. See the appendix entitled "Disabling and Enabling Oracle Database Vault" in Oracle Database Vault Administrator's Guide.

  2. Install Oracle Internet Directory as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  3. Enable Database Vault as described in the Oracle Database Vault Administrator's Guide.

  4. Download and install the patch for Bug 7244497 if you are using Oracle Database 11.1.0.7.

  5. Download and install the patch for Bug 7291157 if you are using Oracle Database 11.1.0.7.

28.4.2 Adding a Database Vault Realm and Policies for Oracle Internet Directory

Oracle Internet Directory provides scripts to apply the required Database Vault policies. These scripts are located in the Oracle Internet Directory installation under $ORACLE_HOME/ldap/datasecurity.

To apply the Database Vault policies to the Oracle Internet Directory database, you must create the default Database Vault realm for Oracle Internet Directory, as follows:

  1. Open dbv_oid_rule.sql in a text editor and replace the dummy IP address in the Check ods connections and Check ods connections 2 rules with the

    IP address of the computer where Oracle Internet Directory is running.

  2. Connect to the database as the Database Vault owner and execute dbv_create_oid_policies.sql.

The policies in dbv_create_oid_policies.sql completely disable SQL*Plus access to the Oracle Internet Directory database. For some tasks, you might require SQL*Plus access to the database by the ODS user. If so, enable SQL*Plus access to the Oracle Internet Directory Database from a specific host or hosts only.

To enable connectivity to the Oracle Internet Directory Database, follow these steps:

  1. Open dbv_oid_rule_sqlplus.sql in a text editor. Replace the dummy IP address in Check ods connections 3 rule with the IP addresses of the hosts from which to allow SQL*Plus access to Oracle Internet Directory Database.

  2. Connect to the database as the Database Vault owner and execute dbv_oid_rule_sqlplus.sql.

If you want to block SQL*Plus access completely to the Oracle Internet Directory database at some point, connect to the Database as the Database Vault owner and execute dbv_oid_delete_rule_sqlplus.sql.

28.4.3 Managing Oracle Database Vault Configuration for Oracle Internet Directory

The "Oracle Database Vault Objects" chapter in the Oracle Database Vault Administrator's Guide explains how to use data dictionary views. This section describes some views that report Oracle Internet Directory-related information.

The name of the Database Vault realm that Oracle Internet Directory uses is OID Realm. You can verify that the realm exists by querying the DBA_DV_REALM data dictionary view.

The Database Vault rules defined for Oracle Internet Directory are Check ods connections, Check ods connections 2, Check odssm connections, and Allow other connections. If you ran dbv_oid_rule_sqlplus.sql, the rule Check ods connection 3 is also defined. These rules are added to a rule set named OID App Access. To check the names of the existing rules, query the DBA_DV_RULE_SET_RULE view.

A CONNECT command rule is firing this rule set. You can verify this by querying the DBA_DV_COMMAND_RULE view. This CONNECT rule does not overwrite existing CONNECT command rules when you run the Oracle Internet Directory scripts on an existing Oracle Database Vault installation.

28.4.4 Deleting Database Vault Policies For Oracle Internet Directory

To remove the Database Vault policies for OID installed in the prior section, execute dbv_delete_oid_policies.sql while connected to the database as the Database Vault Owner.

28.4.5 Disabling Oracle Database Vault for the Oracle Internet Directory Database

See the appendix entitled "Enabling and Disabling Oracle Database Vault" in Oracle Database Vault Administrator's Guide.

28.5 Best Practices for Using Database Vault with Oracle Internet Directory

The following administrative tasks require special attention when Oracle Database Vault is in use:

  • Upgrading Products and Installing Patchsets–disable Oracle Database Vault before performing Oracle Internet Directory or Oracle Database upgrades or patchset installations. Enable Oracle Database Vault again after the upgrade or installation is complete.

  • Bulk Loading Data–when Oracle Database Vault is enabled, the SQL*Loader direct path mode is unavailable, which reduces the performance of the bulkload tool. Disable Oracle Database Vault before using bulkload to load more than 100KB of data or more than one million entries. Enable Oracle Database Vault again after the operation is complete.

  • Modifying a Multimaster DRG–before adding or deleting a node in an Oracle Database Advanced Replication-based multimaster directory replication group, disable Oracle Database Vault on that node. Enable Oracle Database Vault again after the operation is complete.

28.6 Introduction to Sensitive Attributes

Oracle Internet Directory stores sensitive attributes in an encrypted format. Examples of sensitive attributes are: orclpasswordattribute, orclrevpwd, the plug-in attribute orclpluginsecuredflexfield and the server chaining attribute orclOIDSCExtPassword.

28.6.1 List of Sensitive Attributes

The list of sensitive attributes is stored in the attribute orclencryptedattributes in the DSA configuration entry. The list is shown in Table 28-1.

Table 28-1 Sensitive Attributes Stored in orclencryptedattributes

Sensitive Attribute Attribute Usage

orclpluginsecuredflexfield

Sensitive attributes passed to a plug-in. See Chapter 45.

orcloidscextpassword

Server admin password for plug-in connection.

See Chapter 45.

orcloidscwalletpassword

Plug-in sslwallet password. See Chapter 38

orclrevpwd

User password in reversible encrypted format. See Chapter 31.

orclunsyncrevpwd

Encrypted reversible password NOT synchronized with the related userpassword. See Chapter 31.

orclodipprofileinterfaceconnectinformation

Oracle Directory Integration Platform: Information used to connect to an application for event propagation.

orclodipcondiraccesspassword

Oracle Directory Integration Platform: Used by third-party directory to connect to directory.

orclodipagentpassword

Oracle Directory Integration Platform: Password that the synchronization profile uses to bind to the directory.


For information about the last three entries, see the "Attribute Reference" chapter in Oracle Fusion Middleware Reference for Oracle Identity Management.

The orcldataprivacymode attribute controls whether these attributes are encrypted when the data is received. When orcldataprivacymode is enabled, the sensitive attributes are encrypted.When privacy mode is disabled, the sensitive data is returned in the clear.

If you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.

Note:

The attributes in Table 28-1, "Sensitive Attributes Stored in orclencryptedattributes" are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.

28.6.2 Encryption Algorithm for Sensitive Attributes

Prior to 11g Release 1 (11.1.1.4.0), Oracle Internet Directory used the 3DES encryption algorithm for the storage of sensitive attributes. As of 11g Release 1 (11.1.1.4.0), Oracle Internet Directory uses AES-256.

Customers who have patched their systems from an earlier release might already have stored values encrypted with the 3DES algorithm. In such cases, the following rules apply:

  • At decryption time, Oracle Internet Directory uses the appropriate algorithm (3DES or AES-256) to decrypt the value.

  • At encryption time, Oracle Internet Directory always encrypts using AES-256.

This ensures that, over time, all encrypted values are converted to AES-256.

28.7 Configuring Privacy of Retrieved Sensitive Attributes

Privacy mode is disabled by default. That is, the value of orcldataprivacymode is 0. To provide security protection, you must enable privacy mode by changing the value of orcldataprivacymode from 0 to 1 in the DSA configuration entry

To determine the value of orcldataprivacymode, perform the following search:

$ORACLE_HOME/bin/ldapsearch -h host -p port -D cn=orcladmin -q \
   -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base \
   "objectclass=*" orcldataprivacymode

To enable privacy mode, use an LDIF file containing the following entries:

dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory
changetype: modify
replace: orcldataprivacymode
orcldataprivacymode: 1

Load the LDIF file with a command line similar to this:

$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -v \
   -f LDIF_file_name

28.8 Introduction to Hashed Attributes

Unlike encryption, hashing is a one-way operation. It is not possible to derive the original value from the hashed value. Oracle Internet Directory supports hashed attributes in addition to sensitive attributes. The list of hashed attributes is contained in orclhashedattributes, a multivalued attribute of the DSA configuration entry. Hashing is performed using the cryptographic scheme set in the root DSE attribute orclcryptoscheme.

LDAP operations and bulkload automatically perform the transformations described in Table 28-2. You cannot use the bulkmodify command with hashed attributes.

Table 28-2 LDAP and Bulk Operations on Attributes in orclhashedattributes

Operation When incoming attribute value is already hashed When incoming attribute value is not yet hashed

ldapadd

Use value as it is.

Hash incoming value by using orclcryptoscheme before performing operation.

ldapmodify

Use value as it is.

For an add or replace operation, hash incoming value by using orclcryptoscheme before performing operation.

For a delete operation, hash the incoming value using the crypto scheme that was in use at the time the attribute was stored in the directory before performing operation.

ldapcompare

Compare incoming value with value stored in directory.

Hash the incoming value by using the crypto scheme that was in use at the time the attribute was stored in the directory and then compare it with the stored value.

bulkload

Use value as it is.

Hash incoming value by using orclcryptoscheme before performing operation.

bulkmodify

Do not allow bulkmodify.

Do not allow bulkmodify.


Notes:

  • Never include the same attribute in both orclhashedattributes and orclencryptedattributes.

  • Only single-valued attributes can be hashed attributes.

28.9 Configuring Hashed Attributes

You can manage the list of attributes in orclhashedattributes by using Oracle Enterprise Manager Fusion Middleware Control or the command line.

28.9.1 Configuring Hashed Attributes by Using Fusion Middleware Control

You can configure hashed attributes by using the Shared Properties page in Oracle Enterprise Manager Fusion Middleware Control.

Select Administration, then Shared Properties from the Oracle Internet Directory menu.

28.9.2 Configuring Hashed Attributes by Using ldapmodify

To configure hashed attributes by using the command line, add the attribute names to the DSA configuration entry's multivalued attribute orclhashedattribute.

For example, the following LDIF file adds three attributes to orclhashedattributes.

dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory
changetype:modify
add: orclhashedattributes
orclhashedattributes: attributeName1
orclhashedattributes: attributeName2
orclhashedattributes: attributeName3
 

Load the LDIF file with a command line similar to this:

$ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -q -v \
   -f LDIF_file_name