DOAG Regionaltreffen Rhein-Neckar 20. Januar

Size: px

Start display at page:

Download "DOAG Regionaltreffen Rhein-Neckar 20. Januar"

Chad Spencer
6 years ago
Views:

1 DOAG Regionaltreffen Rhein-Neckar 20. Januar

2 <Insert Picture Here> Increased Data Security for SAP systems from Oracle Database Vault and Transparent Data Encryption Andreas Becker Principal Member Technical Staff Oracle/SAP Development, St. Leon-Rot

3 Agenda Introduction Oracle Transparent Data Encryption TDE TDE and SAP Oracle Database Vault Database Vault Database Vault and SAP Appendix <Insert Picture Here> DOAG Regionaltreffen Rhein-Neckar 20. Januar

4 <Insert Picture Here> Introduction DOAG Regionaltreffen Rhein-Neckar 20. Januar

5 Database Security Aspects Data Access Who is entitled to access data? Data Encryption Use of encryption Which data to encrypt Key management, Oranisational measures User management (create user, lock user, ) Software management (install, patch, link ) Physical access to server / Logon to server Auditing DOAG Regionaltreffen Rhein-Neckar 20. Januar

6 Database Security Aspects Software / Software Installation Software owner: who installs the software Operating System users Groups privileges User and passwords (OS and DB) Database Parameters remote_os_authent Database users Status Passwords Roles and privileges DOAG Regionaltreffen Rhein-Neckar 20. Januar

7 <Insert Picture Here> Oracle Customer requirements DOAG Regionaltreffen Rhein-Neckar 20. Januar

8 SAP-Kunde K. bei <...> haben zu viele Personen Zugriff auf sensible Daten, wie etwa Einkaufskonditionen, Gehaltsdaten usw. Wir möchten die Anzahl der unberechtigten Zugriffe auf Null reduzieren und gleichzeitig unsere DBA- und Systemadministratoren aus der Schusslinie bringen. Wir wollen daher Daten, die wir als kritisch erkannt haben, im Rahmen eines ganzheitlichen Schutzkonzepts überall dort verschlüsseln, wo sie persistent gespeichert werden. DOAG Regionaltreffen Rhein-Neckar 20. Januar

9 SAP-Kunde K. Bei <...> haben zu viele Personen Zugriff auf sensbile Daten, wie Einkaufs- oder Personaldaten. Um die unberechtigten Zugriffe auf Null zu reduzieren, ist einerseits der Zugriff innerhalb der Applikationsschicht durch ein wirksames Berechtigungskonzept einzuschränken. In den darunterliegenden Schichten, insbesondere für die Datenbank- und Storageschicht, ist sind diese Daten durch ein Schutz- und Verschlüsselungskonzept nicht direkt verwertbar zu machen. DOAG Regionaltreffen Rhein-Neckar 20. Januar

10 Customer question: We would like to encrypt our critical SAP data so that the administrators can not access them. Can we use TDE to address this point and what are the prerequisites? DOAG Regionaltreffen Rhein-Neckar 20. Januar

11 <Insert Picture Here> JP Morgan Client Data Loss The Wall Street Journal, May 2007 JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as well as some of its own employees, that it cannot locate a computer tape containing their account information and Social Security numbers. DOAG Regionaltreffen Rhein-Neckar 20. Januar

12 /?page=ushome&contentid= <Insert Picture Here> JP Morgan Client Data Loss The Wall Street Journal, May 2007 JP Morgan client data loss 01 May 2007 JP Morgan loses clients' datathe Wall Street Journal JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as well as some of its own employees, that it ca not locate a computer tape containing their account information and Social Security numbers. The tape, which was in a locked container, was being transported from a bank location to an off-site facility last month when it went astray, a JP Morgan spokesman said. It is not clear if the tape arrived at its destination or was lost along the way. The tape contained data from JP Morgan's private-client services business, which provides financial services to clients who have a net worth of between $1m ( 733,135) and $25m, the spokesman said. The tape also included data belonging to JP Morgan employees. Some 47,000 accounts were affected. DOAG Regionaltreffen Rhein-Neckar 20. Januar

13 enisa-telecoms-companies-are-wary-of-data-breach-law / <Insert Picture Here> Enisa: Telecoms companies are wary of data breach law "Every day there seems to be headlines that personal data has been leaked, that someone has found a laptop on a train," Enisa data-breach expert Sławomir Górniak told ZDNet UK. Organisations must gain public trust that personal data will not be divulged, otherwise they risk hindering the take-up of innovative technologies, according to Enisa. Measures such as encryption can mitigate the risk, said Górniak. "If you lose a laptop, and it's encrypted, and you have the keys, then this is not a data breach," he said. DOAG Regionaltreffen Rhein-Neckar 20. Januar

14 /hospital-trust-reports-data-breach-to-1500-patients / <Insert Picture Here> Hospital trust reports data breach to 1,500 patients "At the end of November it was found that part of an electromyography (EMG) machine, a computer which drives it, had been taken from a locked office in the neurophysiology department at Calderdale Royal Hospital," Yvette Oade, the medical director for the trust, said. "We have written to some of the department's patients because limited personal data, such as names and dates of birth, was on the password protected computer," she said. DOAG Regionaltreffen Rhein-Neckar 20. Januar

15 <Insert Picture Here> Transparent Data Encryption (TDE) DOAG Regionaltreffen Rhein-Neckar 20. Januar

16 The Need for Encryption Worldwide privacy, security laws and regulations Sarbanes-Oxley PCI (Payment Card Industrie) California SB 1386 (Nationwide soon?) Country-specific laws Customer Credit Card Numbers Disks replaced for maintenance Data worthless if encrypted Laptops stolen Backups lost DOAG Regionaltreffen Rhein-Neckar 20. Januar

17 Database Encryption Oracle8i, Oracle9i and Oracle Database 10g provided a PL/SQL API for encrypting data in the Enterprise Edition DBMS_OBFUSCATION_TOOLKIT in Oracle9i, Oracle10g DBMS_CRYPTO in Oracle Database 10g Application calls PL/SQL API to perform encryption Typically requires database triggers, database Views No automated key management Note that most 3 rd party solutions today create triggers and views to make their encryption solution look transparent Oracle encryption API s are used by customers today to encrypt credit card numbers was never used or supported in SAP environments DOAG Regionaltreffen Rhein-Neckar 20. Januar

18 What our customers wanted Privacy / regulatory compliance (SB 1386, CISP/PCI) Protection for data on backup tapes Additional protection against operating system / data file theft Media theft / disk replacement Let the database handle all aspects of encryption, not the application Make it easy and secure DOAG Regionaltreffen Rhein-Neckar 20. Januar

required Media protection of PII data Social security numbers Credit Card Numbers Performance

19 Transparent Data Encryption Integrated with the Oracle database for simplicity Alter table encrypt column Provides application transparency No API calls, database triggers or views required Media protection of PII data Social security numbers Credit Card Numbers Performance Works with existing indexes for equality searches DOAG Regionaltreffen Rhein-Neckar 20. Januar

20 TDE Key Features Key Features: Transparent for the application Encrypts data on disk Encryption & Decryption is automatically performed by Oracle Table column level (10.2) or tablespace level (11.2 or higher) Simple SQL Syntax TDE Keys are managed by Oracle Protects unauthorized access to database on file system level/ OS level Small administration overhead No views or triggers Prerequisites: Oracle Enterprise Edition Advanced Security Option (ASO) DOAG Regionaltreffen Rhein-Neckar 20. Januar

Encryption Data Written To Disk Automatically Encrypted Oracle Advanced Security

21 Overview the Big Picture Oracle Advanced Security Strong Authentication Data Automatically Decrypted Through SQL Interface Oracle Advanced Security Network Encryption Data Written To Disk Automatically Encrypted Oracle Advanced Security Transparent Data Encryption Data Encrypted On Backup Files DOAG Regionaltreffen Rhein-Neckar 20. Januar

access to wallet Security DBA opens wallet containing

22 Separation of duties DBA starts up Database Wallet password is separate from System or DBA password No access to wallet Security DBA opens wallet containing master key DOAG Regionaltreffen Rhein-Neckar 20. Januar

23 Master key and column keys Column keys encrypted by master key Master key stored in PKCS#12 wallet Security DBA opens wallet containing master key Column keys encrypt data in columns DOAG Regionaltreffen Rhein-Neckar 20. Januar

24 Transparent Data Encryption (TDE) TDE Column-Level 10.2 TDE Tablespace-Level 11.2 SAP notes: Note Transparent Data Encryption (TDE) Note Creating encrypted EXPDP exports with BRSPACE Note Creating encrypted RMAN backups using BR*Tools Note Support for Oracle data encryption in BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar

25 Encrypting columns Encrypt a column in an existing table: alter table credit_rating modify (person_id encrypt); Create a new table with an encrypted column: create table orders ( order_id number(12), customer_id number(12), credit_card varchar2(16) encrypt); DOAG Regionaltreffen Rhein-Neckar 20. Januar

26 Encrypted Tablespaces OS> brspace -f tscreate -encryption yes SQL> 'create tablespace PSAPSR3TESTENC extent management local autoallocate segment space management auto encryption default storage (encrypt) datafile '/oracle/qo1/sapdata4/sr3testenc_1/sr3testenc.data1' size 20M; DOAG Regionaltreffen Rhein-Neckar 20. Januar

27 Transparent Data Encryption Configuration steps Column Encryption 1. Setup and initialize Wallet and Master Key 2. Identify tables and columns containing sensitive data 3. Check TDE column-level restrictions Data type supported? Used in index? 1. Encrypt table column Online redefinition DOAG Regionaltreffen Rhein-Neckar 20. Januar

28 Transparent Data Encryption Configuration steps for Encrypted Tablespaces 1. Setup and initialize Wallet and Master Key 2. Create new encrypted tablespace 3. Move tables and indexes into encrypted tablespace 4. Drop old tablespace when empty (without datafiles) 5. Overwrite datafiles of old tablespace using a secure method DOAG Regionaltreffen Rhein-Neckar 20. Januar

29 Transparent Data Encryption Managing Clear text Copies (ghost copies) 1. Drop old tablespace without datafiles SQL> DROP TABLESPACE <tablespace_name> INCLUDING CONTENTS KEEP DATAFILES (BRSPACE-Option: -KDF) 2. Overwrite blocks using a secure OS method DOAG Regionaltreffen Rhein-Neckar 20. Januar

30 Transparent Data Encryption Recommendations Do not misuse TDE as an authorization methode Do not encrypt all your data only data which needs to be protected To avoid Data Loss: NEVER LOOSE YOUR WALLET!! BACKUP YOUR WALLET!! NEVER FORGET OR LOOSE YOUR WALLET PASSWORD! DOAG Regionaltreffen Rhein-Neckar 20. Januar

31 Transparent Data Encryption Rekey Rekey Operations (column level) Master key: not too often (regularly / once a year) Maximum number of TDE master keys is limited (by wallet size) Column Key: depending on your regulations Full table update Rekey Operations (tablespace level) create new encrypted tablespace and move segments into the new tablespace DOAG Regionaltreffen Rhein-Neckar 20. Januar

32 <Insert Picture Here> Transparent Data Encryption (TDE) in SAP Environments DOAG Regionaltreffen Rhein-Neckar 20. Januar

33 Transparent Data Encryption (TDE) TDE Column-Level 10.2 TDE Tablespace-Level 11.2 SAP notes: Note Transparent Data Encryption (TDE) Note Creating encrypted EXPDP exports with BRSPACE Note Creating encrypted RMAN backups using BR*Tools Note Support for Oracle data encryption in BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar

34 Transparent Data Encryption Recommendations (cont d) Wallet Management Change of wallet password via Wallet manager or BRSPACE One Encryption Wallet per Database Do not use autologin wallet No support for multiple encryption_wallet_location Only one wallet location in sqlnet.ora DOAG Regionaltreffen Rhein-Neckar 20. Januar

35 TDE in an SAP environment TDE Candidates Do NOT encrypt tables belonging to SAP core application SAP system should be startable without wallet Do not encrypt tables used by BR*Tools Do not encrypt all tables (~100 should be enough) When column is used in an index non-salted DOAG Regionaltreffen Rhein-Neckar 20. Januar

36 TDE Support in SAP BR*TOOLS (10.2) Backup of Oracle Wallet (brbackup) Restore of Oracle Wallet (brrestore) Wallet name: ewallet.p12 Wallet Location in SAP environment: sqlnet.ora: encryption_wallet_location must be set to $ORACLE_HOME/dbs (Unix) $ORACLE_HOME/database (Windows) Auto-Login-Wallet (cwallet.sso) is not supported by BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar

37 TDE Support in SAP BR*TOOLS (11.2) SAP note (brspace f mdencr) Open wallet /Close wallet Create wallet / Delete wallet Save wallet Change wallet password Create new master key Rekey table Enable auto-open wallet / Disable auto-open wallet Display wallet information / wallet status Get list of encrypted table columns Get list of encrypted tablespaces Automatic management of wallet copies, backups and password verifications DOAG Regionaltreffen Rhein-Neckar 20. Januar

38 TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 293> brtools -V BR0651I BRTOOLS 7.20 (10) Patch Date Info BR*Tools support for Oracle 11g (note ) BR*Tools support for esourcing databases (note ) release note kernel release 720 patch date patch level 10 make platform rs6000_64 make mode OCI_102 make date Jan isi055:oraqo1 294> DOAG Regionaltreffen Rhein-Neckar 20. Januar

39 TDE Support in SAP BR*TOOLS (11.2) DEMO: CREATE ENCRYPTION WALLET DOAG Regionaltreffen Rhein-Neckar 20. Januar

40 TDE Support in SAP BR*TOOLS (11.2) BR*Tools main menu 1 = Instance management 2 - Space management 3 - Segment management 4 - Backup and database copy 5 - Restore and recovery 6 - Check and verification 7 - Database statistics 8 - Additional functions 9 - Exit program Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar

41 TDE Support in SAP BR*TOOLS (11.2) Database instance management 1 = Start up database 2 - Shut down database 3 - Alter database instance 4 - Alter database parameters 5 - Recreate database 6 - Manage online redolog 7 - Manage data encryption 8 - Show instance status 9 - Show database parameters 10 - Show database owners 11 - Reset program status Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: 7 DOAG Regionaltreffen Rhein-Neckar 20. Januar

42 TDE Support in SAP BR*TOOLS (11.2) BRSPACE options for manage data encryption 1 - BRSPACE profile (profile)... [initqo1.sap] 2 - Database user/password (user)... [/] 3 ~ Manage encryption action (action)... [] 4 ~ Encrypted tables for re-key (table). [] 5 - Confirmation mode (confirm)... [yes] 6 - Extended output (output)... [no] 7 - Message language (language)... [E] 8 - BRSPACE command line (command)... [-p initqo1.sap -l E -f mdencr] Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: 3 BR0280I BRTOOLS time stamp: BR0663I Your choice: '3' BR0681I Enter string value for "action" (open close create delete save newkey rekey enable disable display show list) []: DOAG Regionaltreffen Rhein-Neckar 20. Januar

43 TDE Support in SAP BR*TOOLS (11.2) Manage data encryption main menu 1 - Open encryption wallet 2 - Close encryption wallet 3 - Create encryption wallet 4 - Delete encryption wallet 5 - Save encryption wallet 6 - Change wallet password 7 - Generate new master key 8 - Re-key encrypted tables 9 + Additional actions 10 = Exit program 11 - Reset program status Standard keys: c - cont, b - back, s - stop, r - refr, h - help DOAG Regionaltreffen Rhein-Neckar 20. Januar

44 TDE Support in SAP BR*TOOLS (11.2) Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [NOT_AVAIL] 4 * Manage encryption action (action)... [create] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 - SQL command (command)... [alter system set encryption key identified by "*********"] Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar

45 TDE Support in SAP BR*TOOLS (11.2) SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS file /oracle/qo1/112_64/dbs CLOSED DOAG Regionaltreffen Rhein-Neckar 20. Januar

46 TDE Support in SAP BR*TOOLS (11.2) BR0280I BRSPACE time stamp: BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: BR0370I Directory /oracle/qo1/sapwallet created BR0370I Directory /oracle/qo1/sapwallet/sefarbnu created BR0280I BRSPACE time stamp: BR1016I SQL statement 'alter system set encryption key identified by "*********"' executed successfully BR1714I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 created successfully BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/112_64/dbs/ewallet.cpy... BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/sapwallet/sefarbnu/ewallet.new... BR0280I BRSPACE time stamp: BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar

47 TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 384> ls -l $ORACLE_HOME/dbs total 184 -rw-r--r-- 1 oraqo1 dba 1573 Jan 18 18:01 ewallet.cpy -rw-r--r-- 1 oraqo1 dba 1573 Jan 18 18:01 ewallet.p12 -rw-rw oraqo1 dba 1544 Jan 14 09:44 hc_dbua0.dat -rw-rw oraqo1 dba 1544 Jan 18 18:00 hc_qo1.dat -rw-r--r-- 1 oraqo1 dba 2851 May init.ora -rw-r oraqo1 dba 999 Jan 14 09:47 initqo1.ora -rw-r-xr-x 1 oraqo1 dba Sep 22 16:58 initqo1.sap -rw-r oraqo1 dba 24 Jan 11 15:26 lkqo1 -rwsr oraqo1 dba 2048 Jan 14 09:47 orapwqo1 -rw-r oraqo1 dba 5632 Jan 14 10:05 spfileqo1.ora isi055:oraqo1 385> DOAG Regionaltreffen Rhein-Neckar 20. Januar

48 TDE Support in SAP BR*TOOLS (11.2) SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS File /oracle/qo1/112_64/dbs OPEN DOAG Regionaltreffen Rhein-Neckar 20. Januar

49 TDE Support in SAP BR*TOOLS (11.2) DEMO: Open/Close Wallet DOAG Regionaltreffen Rhein-Neckar 20. Januar

50 TDE Support in SAP BR*TOOLS (11.2) Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [OPEN] 4 * Manage encryption action (action)... [close] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 - SQL command (command)... [alter system set encryption wallet close identified by "*********"] Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar

51 TDE Support in SAP BR*TOOLS (11.2) BR0662I Enter your choice: c BR0280I BRSPACE time stamp: BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: BR1016I SQL statement 'alter system set encryption wallet close identified by "*********"' executed successfully BR1713I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 closed successfully BR0280I BRSPACE time stamp: BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar

52 TDE Support in SAP BR*TOOLS (11.2) Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [CLOSED] 4 * Manage encryption action (action)... [open] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [******] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 - SQL command (command)... [alter system set encryption wallet open identified by "*********"] Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: c DOAG Regionaltreffen Rhein-Neckar 20. Januar

53 TDE Support in SAP BR*TOOLS (11.2) BR0280I BRSPACE time stamp: BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: BR1016I SQL statement 'alter system set encryption wallet open identified by "*********"' executed successfully BR1712I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 opened successfully BR0280I BRSPACE time stamp: BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar

54 TDE Support in SAP BR*TOOLS (11.2) DEMO: Change Wallet Password DOAG Regionaltreffen Rhein-Neckar 20. Januar

55 TDE Support in SAP BR*TOOLS (11.2) Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [OPEN] 4 * Manage encryption action (action)... [chpass] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 - New wallet password (newpass)... [***********] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 # SQL command (command)... [] Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar

56 TDE Support in SAP BR*TOOLS (11.2) BR0662I Enter your choice: c BR0280I BRSPACE time stamp: BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: BR0370I Directory /oracle/qo1/sapwallet/sefavtab created BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/sapwallet/sefavtab/ewallet.old... BR0280I BRSPACE time stamp: BR1722I Encryption wallet password changed successfully BR1705I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 is open DOAG Regionaltreffen Rhein-Neckar 20. Januar

57 TDE Support in SAP BR*TOOLS (11.2) BR1721I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 will be closed and reopened now BR0280I BRSPACE time stamp: BR0675I This is a recommended action - do you want to execute it now? BR0676I Enter 'y[es]/c[ont]' to execute the action, 'n[o]' to skip it, 's[top]' to abort: y BR0280I BRSPACE time stamp: BR1713I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 closed successfully BR0280I BRSPACE time stamp: BR1712I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 opened successfully BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/112_64/dbs/ewallet.cpy... BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/sapwallet/sefavtab/ewallet.new... DOAG Regionaltreffen Rhein-Neckar 20. Januar

58 TDE Support in SAP BR*TOOLS (11.2) DEMO: Create auto-open wallet DOAG Regionaltreffen Rhein-Neckar 20. Januar

59 TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 388> ls -ltr total 184 -rw-r--r-- 1 oraqo1 dba 2851 May init.ora -rw-r-xr-x 1 oraqo1 dba Sep 22 16:58 initqo1.sap -rw-r oraqo1 dba 24 Jan 11 15:26 lkqo1 -rw-r oraqo1 dba 5632 Jan 14 10:05 spfileqo1.ora -rw oraqo1 dba 1574 Jan 19 16:48 ewallet.p12 -rw-r--r-- 1 oraqo1 dba 1574 Jan 19 16:48 ewallet.cpy -rw-rw oraqo1 dba 1544 Jan 19 16:48 hc_qo1.dat isi055:oraqo1 389> DOAG Regionaltreffen Rhein-Neckar 20. Januar

60 TDE Support in SAP BR*TOOLS (11.2) Additional data encryption actions 1 - Enable auto-open wallet 2 - Disable auto-open wallet 3 - Display database wallet info 4 - Show encryption status 5 - List encrypted tables/columns 6 - List encrypted tablespaces 7 - Main actions Standard keys: c - cont, b - back, s - stop, r - refr, h - help DOAG Regionaltreffen Rhein-Neckar 20. Januar

61 TDE Support in SAP BR*TOOLS (11.2) Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [OPEN] 4 * Manage encryption action (action)... [enable] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 - Local auto-open wallet (local)... [yes] 11 # SQL command (command)... [] Standard keys: c - cont, b - back, s - stop, r - refr, h - help BR0662I Enter your choice: c DOAG Regionaltreffen Rhein-Neckar 20. Januar

62 TDE Support in SAP BR*TOOLS (11.2) BR0662I Enter your choice: c BR0280I BRSPACE time stamp: BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: BR1726I Local auto-open wallet /oracle/qo1/112_64/dbs/cwallet.sso enabled successfully BR0280I BRSPACE time stamp: BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar

63 TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 389> ls -ltr -rw oraqo1 dba 1574 Jan 19 16:48 ewallet.p12 -rw-r--r-- 1 oraqo1 dba 1574 Jan 19 16:48 ewallet.cpy -rw-rw oraqo1 dba 1544 Jan 19 16:49 hc_qo1.dat -rw oraqo1 dba 1651 Jan 19 16:52 cwallet.sso isi055:oraqo1 390> DOAG Regionaltreffen Rhein-Neckar 20. Januar

64 Orapki (11.2) orapki is a command line tool for wallet management: Here are some orapki command line options: OS> orapki wallet help OS> orapki wallet display -wallet $ORACLE_HOME/dbs OS> orapki wallet change_pwd -wallet <wallet_location> [-oldpwd <oldpwd> -newpwd <newpwd>] Attention: you enter the new password just once To close the wallet, you need to use the old password from before the change OS> orapki wallet create -wallet <wallet_location> -auto_login OS> orapki wallet create -wallet <wallet_location> -auto_login_local DOAG Regionaltreffen Rhein-Neckar 20. Januar

65 <Insert Picture Here> Database Vault (DV) DOAG Regionaltreffen Rhein-Neckar 20. Januar

66 Oracle Database 11g Release 2 for SAP Security Aspects Data Access via SAP Interface SAP User & Privilege Management ABCDEFG DOAG Regionaltreffen Rhein-Neckar 20. Januar

67 Oracle Database 11g Release 2 for SAP Security Aspects Direct Data Access via File Read Data Access via SAP Interface Oracle Advanced Security: Encryption SAP User & Privilege Management $8u?_3# DOAG Regionaltreffen Rhein-Neckar 20. Januar

68 Oracle Database 11g Release 2 for SAP Security Aspects Direct Data Access via File Read Data Access via SAP Interface Direct Data Access via SQL Interface Oracle Advanced Security: Encryption SAP User & Privilege Management Oracle Database Vault: Access Control DOAG Regionaltreffen Rhein-Neckar 20. Januar

69 Oracle Database Security for SAP Overview Transparent Data Encryption OS> SQLPLUS / AS SYSDBA SQL> SELECT * FROM SAPSR3.<table>; [Decrypted Result Set] Database Vault OS> SQLPLUS / as SYSDBA SQL> SELECT * FROM SAPSR3.<table>; ORA-01031: insufficient privileges DOAG Regionaltreffen Rhein-Neckar 20. Januar

since February 2007 See SAP Note 974876 Database Backup Backup Set Encryption Using Oracle

70 Oracle 10g Advanced Security Application Network Encryption Supported since February 2007 See SAP Note Database Server Instance Database Files Transparent Data Encryption Supported since February 2007 See SAP Note Database Backup Backup Set Encryption Using Oracle Recovery Manager (RMAN) See SAP Note DOAG Regionaltreffen Rhein-Neckar 20. Januar

71 Oracle 11g Advanced Encryption Column Encryption through TDE Client-Server (SAP App Server to Database) Network Encryption Tablespace Encryption DG Secure Network Transport RMAN Backup Encryption Expdp Encryption SecureFile (unstructured LOB data) encryption DOAG Regionaltreffen Rhein-Neckar 20. Januar

72 Oracle Database Vault Addresses Compliance Regulations Insider Threats Need for Flexible Security Policies Consolidation Concerns Outsourcing Concerns DOAG Regionaltreffen Rhein-Neckar 20. Januar

73 Oracle Database Vault Concepts Database Vault does not change Access rights based on DB object privileges Access rights based on application-specific rules Access rights based on operating system privileges (e.g. root, Oracle owner) Database Vault does Prevent data access based on DB system privileges (DBA role, SELECT ANY TABLE, UPDATE ANY TABLE, ) Replace these access rights by more flexible ones that are based on principles such as Separation of duties Dual key security etc. DOAG Regionaltreffen Rhein-Neckar 20. Januar

74 Oracle Database Vault for SAP Separation of Duties ALTER, DROP SELECT SOME_APP objects Application DBA Run application Application Users DOAG Regionaltreffen Rhein-Neckar 20. Januar

75 Standard Database Vault Standard Database Vault comes with Everything needed to protect itself Everything needed to protect database system data (data dictionary) Standard Database Vault In most cases not ready to use Needs definition of additional policy components according to application needs and customer security requirements DOAG Regionaltreffen Rhein-Neckar 20. Januar

76 Standard Database Vault Default Realms DOAG Regionaltreffen Rhein-Neckar 20. Januar

lessons learned in previous application specific policy implementations Can be enhanced

77 Database Vault for SAP Oracle database Vault for SAP One of several application specific DV policy implementations delivered by Oracle in addition to Standard DV Makes use of the lessons learned in previous application specific policy implementations Can be enhanced by customer specific policy components DOAG Regionaltreffen Rhein-Neckar 20. Januar

78 Oracle Database Vault for SAP Delivered Security Policies Protections Protection Realm for ABAP Stack Protection Realm for Java Stack Realm Owner Protects Protection Realm for SAP BR*Tools Credential Protection Realm Protection Realm for SAP Admin Roles SAP Application Account SAP Application Account SAPDBA Role SAPCRED Role SAPACCTMGR SAP business data SAP business data DB objects needed by SAP BR*Tools Data needed for credential management SAP administration roles (SAPCONN, SAPDBA, SAPCRED, SAPSYS) DOAG Regionaltreffen Rhein-Neckar 20. Januar

79 High privileged users Privileges Access to all data in the database Encryption does not help here This is not an Oracle-only problem. Typical approach: Companies trust their DBAS. Oracle offers a solution with Database Vault Oracle is the only software vendor with such a solution DOAG Regionaltreffen Rhein-Neckar 20. Januar

80 Oracle Database Vault Two main components REALMs Prevents objects from unprivileged access Command-Rules mit Rule Sets Restrict the execution of commands DOAG Regionaltreffen Rhein-Neckar 20. Januar

81 <Insert Picture Here> Database Vault (DV) in SAP Environments DOAG Regionaltreffen Rhein-Neckar 20. Januar

82 Oracle Database Vault für SAP DOAG Regionaltreffen Rhein-Neckar 20. Januar

83 Oracle Database Accounts in SAP Separation of Duty Mapping User Name User Status Responsibility SAP<SAPSID> OPEN SAP application account for ABAP stack SAP<SAPSID>DB OPEN SAP application account for Java stack SECADMIN OPEN Database Vault Security Administrator SECANALYST OPEN Optional account for Database Vault reporting SECACCTMGR OPEN Database Vault Account Manager SAPACCTMGR OPEN Password Management for SAP accounts OPS$SAPSERVICE<SID > OPEN SAP Database Administration account OPS$ORA<SID> OPEN SAP Database Administration account OPS$<SID>ADM OPEN SAP Database Administration account SUPPORT_DBA LOCKE D To be used by Oracle Support and in emergency DOAG Regionaltreffen Rhein-Neckar 20. Januar

84 <Insert Picture Here> DV Protection DOAG Regionaltreffen Rhein-Neckar 20. Januar

85 Database Vault Show Protection Realm-Protection SECADMIN SQL> select * from sapsr3.t100; select * from sapsr3.t100 * ERROR at line 1: ORA-00942: table or view does not exist SECADMIN SQL> conn / as sysdba Connected. SYS AS SYSDBA SQL> select * from sapsr3.t100; select * from sapsr3.t100 * ERROR at line 1: ORA-01031: insufficient privileges SYS AS SYSDBA SQL> DOAG Regionaltreffen Rhein-Neckar 20. Januar

86 Database Vault Show Protection Command-Rule SYS AS SYSDBA SQL> conn sapsr3 Enter password: ERROR: ORA-47400: Command Rule violation for CONNECT on LOGON Warning: You are no longer connected to ORACLE. SQL> DOAG Regionaltreffen Rhein-Neckar 20. Januar

87 Database Vault Show Protection DOAG Regionaltreffen Rhein-Neckar 20. Januar

88 <Insert Picture Here> DV SAP Policy Configuration DOAG Regionaltreffen Rhein-Neckar 20. Januar

89 Database Vault SAP Policy SAP Note Database Vault Policy Scripts for SAP (11.2) DV policy scripts for SAP for configuration and administration Main script: dv_policy.sql Delivered as patch p _112020_generic.zip Gets installed into <ORACLE_HOME>/sap/ora_dbvault Run by Security administrator SECADMIN SECADMIN needs access to the database on OS level to run the scripts create separate OS account Example: sqlplus policy create DOAG Regionaltreffen Rhein-Neckar 20. Januar

90 Database Vault SAP Policy Supported options SECADMIN help DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <help>. DVINFO: Usage:. To manage Oracle Database Vault policies for SAP connect to the database from sqlplus as SECADMIN user or as another user with DV_ADMIN or DV_OWNER privilege and run dv_policy.sql as follows:. OS> sqlplus <action> [<option>] DOAG Regionaltreffen Rhein-Neckar 20. Januar

91 Database Vault SAP Policy Supported options Supported main actions: policy create policy delete policy enable policy disable policy status. help? version -> Create Database Vault Default Policies for SAP -> Delete Database Vault Default Policies for SAP -> Enable Database Vault Default Policies for SAP -> Disable Database Vault Default Policies for SAP -> Show current configuration status -> Show this help -> Show version info DOAG Regionaltreffen Rhein-Neckar 20. Januar

92 Database Vault SAP Policy Supported options Supported actions for DV administration: patch enable -> Enable user SYS to patch the database patch disable -> Disable user SYS to patch the database patch status -> Show. user SYS' patch status export enable -> Enable user BRTDBA for data export export disable -> Disable user BRTDBA for data export import enable -> Enable user BRTDBA for data import import disable -> Disable user BRTDBA for data import export status -> Show current export/import status DOAG Regionaltreffen Rhein-Neckar 20. Januar

93 Database Vault SAP Policy Supported options sapdba_role_install enable -> Enable user SYS to install SAPDBA role sapdba_role_install disable -> Disable user SYS to install SAPDBA role. commandrule connect enable -> Enable CONNECT command rule commandrule connect disable -> Disable CONNECT command rule. commandrule grant enable -> Enable GRANT command rule commandrule grant disable -> Disable GRANT command rule. default_realms enable -> Enable Database Vault Default R. default_realms disable -> Disable Database Vault Default R. default_realms status -> Status Database Vault Default R.. support_access enable -> Enable SAP support access support_access disable -> Disable SAP support access DOAG Regionaltreffen Rhein-Neckar 20. Januar

94 Database Vault SAP Policy Install SAP DV Policy DEMO: Install SAP-specific Database Vault Protection DOAG Regionaltreffen Rhein-Neckar 20. Januar

95 Database Vault SAP Policy Install SAP DV Policy SECADMIN policy create DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: Current date : :57:59 DVINFO: Version : DVINFO: Build : 003 DVINFO: Release date : 2010-Nov-05 DVINFO: Copyright (c) Oracle Corporation All Rights Reserved. DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <policy create>. DVINFO: DVINFO: ***** Database platform information ***** DVINFO: Operating system : HP-UX IA (64-bit)(4) DVINFO: Platform category : UNIX DVINFO: Unix platform : YES DOAG Regionaltreffen Rhein-Neckar 20. Januar

96 Database Vault SAP Policy Install SAP DV Policy DVINFO: ***** Database Account Information ***** DVINFO: OPS$<SAPSID>ADM account(s): DVINFO: OPS$QO1ADM DVINFO: OPS$ORA<DBSID> account(s): DVINFO: OPS$ORAQO1 DVINFO: OPS$SAPSERVICE account(s): DVINFO: OPS$QO1ADM DVINFO: OPS$SAPSERVICEQO1 DVINFO: OPS$SR3ADM DVINFO: SAP Application user(s) (ABAP stack) DVINFO: SAPSR3 (ABAP stack) OPEN DVINFO: SAPSR5 (ABAP stack) OPEN DVINFO: SAP Application user(s) (JAVA stack) DVINFO: No users found. DOAG Regionaltreffen Rhein-Neckar 20. Januar

97 Database Vault SAP Policy Install SAP DV Policy DVINFO: ***** Creating DV rules ***** DVINFO: Rule name: <Allow SAP BR*Tools Processes Access for CONNECT command rule (1-sidadm)> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP BR*Tools Processes Access for CONNECT command rule (2-orasid)> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP BR*Tools Processes Access for CONNECT command rule (3-sapservicesid)> DVINFO: Rule created. DVINFO: Rule name: <Allow ABAP SAP Application Processes Access for CONNECT command rule> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP Administrators CONNECT command rule> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP Administrators GRANT command rule> DVINFO: Rule created. Access for Access for DOAG Regionaltreffen Rhein-Neckar 20. Januar

98 Database Vault SAP Policy Install SAP DV Policy- Steps DVINFO: ***** Creating DV rules *****... DVINFO: ***** Creating DV rule sets *****... DVINFO: ***** Adding DV rules to DV rule sets *****... DVINFO: ***** Creating DV realms *****... DVINFO: ***** Modifying DV Default realms *****... DVINFO: ***** Creating DV command rules *****... DVINFO: ***** Synchronizing rules *****... DOAG Regionaltreffen Rhein-Neckar 20. Januar

99 Database Vault Default Realms DOAG Regionaltreffen Rhein-Neckar 20. Januar

100 Database Vault SAP Realms (after policy create ) DOAG Regionaltreffen Rhein-Neckar 20. Januar

101 Database Vault SAP Policy Installing a Patch (1/2) SECADMIN patch enable DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <patch enable>. DVINFO: DVINFO: ***** Disabling GRANT command rule ***** DVINFO: Command rule: <GRANT> DVINFO: Command rule disabled. DVINFO: ***** Enable Database Patching ***** DVINFO: This action grants the DV_PATCH_ADMIN role to SYS. DVINFO: This enables SYS to patch the database. DVINFO: DV_PATCH_ADMIN role granted to SYS. DVINFO: SYS is now enabled to install database patches. DVINFO: DVINFO: ***** Action ***** DVINFO: Database patching enabled. DOAG Regionaltreffen Rhein-Neckar 20. Januar

102 Database Vault SAP Policy Installing a Patch (2/2) SECADMIN patch disable DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <patch disable>. DVINFO: DVINFO: ***** Enabling GRANT command rule ***** DVINFO: Command rule: <GRANT> DVINFO: Command rule enabled. DVINFO: ***** Disable Database Patching ***** DVINFO: This action revokes the DV_PATCH_ADMIN role from SYS. DVINFO: DV_PATCH_ADMIN role revoked from SYS. DVINFO: DVINFO: ***** Action ***** DVINFO: Database patching disabled. DOAG Regionaltreffen Rhein-Neckar 20. Januar

103 <Insert Picture Here> DV Configuration and Administration with SAPspecific scripts DOAG Regionaltreffen Rhein-Neckar 20. Januar

104 Database Vault Enable / Disable chopt OS> chopt usage: chopt <enable disable> <option> options: dm = Oracle Data Mining RDBMS Files dv = Oracle Database Vault option lbac = Oracle Label Security olap = Oracle OLAP partitioning = Oracle Partitioning rat = Oracle Real Application Testing e.g. chopt enable rat OS> DOAG Regionaltreffen Rhein-Neckar 20. Januar

105 Database Vault Enable / Disable chopt OS> chopt disable dv Writing to /oracle/qo1/112_64/install/disable_dv.log... %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk dv_off %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk ioracle OS> OS> chopt enable dv Writing to /oracle/qo1/112_64/install/enable_dv.log... %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk dv_on %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk ioracle OS> DOAG Regionaltreffen Rhein-Neckar 20. Januar

106 Database Vault Enable / Disable dv_status.sh / dv_enable.sh / dv_disable.sh OS>./dv_status.sh Checking Status of Oracle Database Vault Oracle Database Vault is disabled. Oracle Label Security is enabled. OS> OS>./dv_status.sh Checking Status of Oracle Database Vault Oracle Database Vault is enabled. Oracle Label Security is enabled. OS> DOAG Regionaltreffen Rhein-Neckar 20. Januar

107 Database Vault Enable / Disable dv_status.sh / dv_enable.sh / dv_disable.sh OS>./dv_enable.sh Enabling Oracle Database Vault /usr/ccs/bin/ar d /oracle/qo1/112_64/rdbms/lib/libknlopt.a kzvndv.o /usr/ccs/bin/ar cr /oracle/qo1/112_64/rdbms/lib/libknlopt.a /oracle/qo1/112_64/rdbms/lib/kzvidv.o /usr/ccs/bin/ar cr /oracle/qo1/112_64/rdbms/lib/libknlopt.a /oracle/qo1/112_64/rdbms/lib/kzlilbac.o - Linking Oracle rm -f /oracle/qo1/112_64/rdbms/lib/oracle... test! -f /oracle/qo1/112_64/bin/oracle \ mv -f /oracle/qo1/112_64/bin/oracle /oracle/qo1/112_64/bin/oracleo mv /oracle/qo1/112_64/rdbms/lib/oracle /oracle/qo1/112_64/bin/oracle chmod 6751 /oracle/qo1/112_64/bin/oracle DOAG Regionaltreffen Rhein-Neckar 20. Januar

108 <Insert Picture Here> Appendix DOAG Regionaltreffen Rhein-Neckar 20. Januar

109 <Insert Picture Here> SAP Notes DOAG Regionaltreffen Rhein-Neckar 20. Januar

110 SAP Notes on Transparent Data Encryption SAP Support Portal Note Transparent Data Encryption (TDE) Note Creating encrypted EXPDP exports with BRSPACE Note Creating encrypted RMAN backups using BR*Tools Note Support for Oracle data encryption in BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar

111 SAP Notes on Oracle Network Encryption SAP Support Portal Note Oracle Advanced Security: Network encryption DOAG Regionaltreffen Rhein-Neckar 20. Januar

112 SAP Notes on Database Vault SAP Support Portal Note Using Oracle Database Vault in an SAP environmen Note Enabling and Disabling Database Vault (11.2) Note FAQ: Oracle Database Vault Note Database Vault Policy Scripts for SAP (11.2) DOAG Regionaltreffen Rhein-Neckar 20. Januar

113 SAP Notes on Secure Database Configuration SAP Support Portal Note Oracle Database 10g: New database role SAPCONN Note SAP Database User Profile SAPUPROF Note Password Complexity Verification Function DOAG Regionaltreffen Rhein-Neckar 20. Januar

SAP Community Network SAP on Oracle Database http://www.sdn.sap.

114 SAP Community Network SAP on Oracle Database DOAG Regionaltreffen Rhein-Neckar 20. Januar

115 <Insert Picture Here> My Oracle Support Notes DOAG Regionaltreffen Rhein-Neckar 20. Januar

116 My Oracle Notes on Transparent Data Encryption Master Note For Transparent Data Encryption [ID ] 10g R2 New Feature TDE : Transparent Data Encryption [ID ] 10gR2: How to Export/Import with Data Encrypted with Transparent Data Encryption (TDE) [ID ] Quick and dirty TDE Setup and FAQ [ID ] 11g New Feature : Transparent Data Encryption at Tablespace Level [ID ] DOAG Regionaltreffen Rhein-Neckar 20. Januar

117 My Oracle Notes on Database Vault Master Note For Oracle Database Vault [ID ] How To Enable And/Or Disable Oracle Database Vault [ID ] Installing Database Vault in a Data Guard Environment [ID ] How To Uninstall Or Reinstall Database Vault in 11g [ID ] DOAG Regionaltreffen Rhein-Neckar 20. Januar

118 Learn More Search Knowledge Base database vault Transparent data encryption DOAG Regionaltreffen Rhein-Neckar 20. Januar

119 Learn More database security Technology Overview Visit: View Whitepapers and webinars Technical Information, Demos, Software Visit OTN: DOAG Regionaltreffen Rhein-Neckar 20. Januar

120 <Insert Picture Here> Oracle Technology Network DOAG Regionaltreffen Rhein-Neckar 20. Januar

121 Oracle Technology Network TDE Best Practices January 2011 version of the TDE best practices paper New support for TDE column encryption and TDE tablespace encryption with Oracle Golden Gate In the Dec update, an ACFS access control policy in Oracle RAC that only allows the Oracle instance access to the Oracle Wallet (neither the oracle user, nor 'root') was introduced. DOAG Regionaltreffen Rhein-Neckar 20. Januar

122 Oracle Technology Network Database Vault Best Practices DBA Administrative Best Practices with Oracle Database Vault DOAG Regionaltreffen Rhein-Neckar 20. Januar

123 SEC_RITY IS NOT COMPLETE WITHOUT U! DOAG Regionaltreffen Rhein-Neckar 20. Januar

We encourage you to use the newly minted corporate tagline Hardware and Software, Engineered to Work Together. at the end of all your presentations.

124 We encourage you to use the newly minted corporate tagline Hardware and Software, Engineered to Work Together. at the end of all your presentations. This message should replace any reference to our previous corporate tagline Hardware. Software. Complete. DOAG Regionaltreffen Rhein-Neckar 20. Januar

125 DOAG Regionaltreffen Rhein-Neckar 20. Januar

Transparent Data Encryption

Transparent Data Encryption DOAG SID SAP & Oracle June 2007 Andreas Becker Senior Member Technical Staff Oracle Server Technologies - SAP Development Agenda Transparent Data Encrytion