DOAG Regionaltreffen Rhein-Neckar 20. Januar

Similar documents
Transparent Data Encryption

Database Vault Installation and Configuration

An Oracle White Paper March Oracle Database Vault for SAP

Oracle Database 11g: Security Release 2

Oracle Database 11g: Security Release 2

Key Drivers for Data Security

Implementing ASO: Tips & Tricks. Kurt Lysy Global Security Architect

Vendor: Oracle. Exam Code: 1Z Exam Name: Oracle Database 11g Security Essentials. Version: Demo

Oracle Database Vault

Oracle Advanced Security Transparent Data Encryption Best Practices

Transparent Solutions for Security and Compliance with Oracle Database 11g. An Oracle White Paper September 2008

BR*Tools Studio 7.10 for Oracle Multi-instance Server Standalone Part 2: Server, Database Instances and their Users

Tablespace Usage By Schema In Oracle 11g Rac

Oracle Database Vault

Ghost Data & Spectral Data - When is Encrypted Data Not Encrypted? And when is your data in places you didn t expect

Oracle Database Vault

Sample Database Table Schemas 11g Release 2 Pdf

Use Case: Enhance security for a database with sensitive data. Koen Van Bastelaere Oracle DBA

TECHNOLOGY: Security Encrypting Tablespaces

Oracle Database Vault

MySQL Enterprise Security

Oracle Advanced Security Transparent Data Encryption (TDE)

Applying Oracle Technologies in PCI DSS certification process

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

ORACLE 11gR2 DBA. by Mr. Akal Singh ( Oracle Certified Master ) COURSE CONTENT. INTRODUCTION to ORACLE

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

"Charting the Course... Oracle 18c DBA I (5 Day) Course Summary

Survey of Oracle Database

Oracle Database Vault and Applications Unlimited Certification Overview

"Charting the Course... Oracle 18c DBA I (3 Day) Course Summary

Converting to Transparent Data Encryption with Oracle Data Guard using Fast Offline Conversion Oracle Database 12.1 and Oracle Database 11.

BR*Tools Support for Oracle 11g. DOAG St. Leon-Rot. Georg Chlond Oracle Platforms SAP AG

Oracle E-Business Suite Certified with Oracle Database Vault Certification Overview

McAfee Database Security

You Don t Have Database Vault

Security Benefits of Implementing Database Vault. -Arpita Ghatak

Oracle Audit Vault Implementation

Data Privacy and Protection GDPR Compliance for Databases

Sensitive Data and Key Management for DBAs

Integration Guide. Oracle Database 11g & 11g Release 2 TDE Microsoft Windows Server 2008 (R2)

Oracle Database 12c: New Features for Administrators (40 hrs.) Prerequisites: Oracle Database 11g: Administration Workshop l

Oracle Database 12c R2: Administration Workshop Ed 3 NEW

12.1 Multitenancy in real life

Oracle Database 12c R2: New Features for 12c R1 Administrators Ed 1

SAP* Administration-Practical Guide

Create A Private Database Link In Another Schema In Oracle 11g Drop >>>CLICK HERE<<<

Oracle Database 12c R2: Administration Workshop Ed 3

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Explore the Oracle 10g database architecture. Install software with the Oracle Universal Installer (OUI)

Oracle Database Advanced Security Guide. 12c Release 2 (12.2)

<Insert Picture Here> Get the best out of Oracle Scheduler: Learn how you can leverage Scheduler for enterprise scheduling

Oracle Database 11g for Experienced 9i Database Administrators

Migrating/Upgrading to Oracle Version 8.1.5: UNIX (BC-DB- ORA

Holistic Database Security

Oracle Database Security

Oracle Advanced Security: Enterprise User Management. An Oracle Technical White Paper November 1999

Oracle ILM Assistant Installation Guide Version 1.4

Oracle - Oracle Database 12c R2: Administration Workshop Ed 3

Recovering Oracle Databases

Enterprise Manager: Scalable Oracle Management

Default Password For Hr Schema In Oracle 10g

ORACLE DBA TRAINING IN BANGALORE

TestsDumps. Latest Test Dumps for IT Exam Certification

Vormetric Data Security

SANS Institute Product Review: Oracle Database Vault

ORACLE SECURITY. Francisco Munoz Alvarez

Cloud Security Whitepaper

Reference manual Integrated database authentication

Focus On: Oracle Database 11g Release 2

Oracle Data Pump Encrypted Dump File Support

with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

LOSS OF FULL DATABASE AND DATABASE RECOVERY ORACLE 11g

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Hardware and Software Engineered to Work Together

System control Commands such as ALTER SYSTEM and ALTER DATABASE. Session control Commands such as ALTER SESSION and SET ROLE.

Real Application Security Administration

DumpsKing. Latest exam dumps & reliable dumps VCE & valid certification king

Pl Sql Copy Table From One Schema To Another

University of Pittsburgh Security Assessment Questionnaire (v1.7)

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Compliance and Privileged Password Management

Oracle Hospitality Suite8 Installation Guide Release E October 2016

Agenda. Introduction. Key Concepts. The Role of Internal Auditors. Business Drivers Identity and Access Management Background

Brian John Wolff. Jon Inns. Application Auditing Without Changing the Application. Principal Sales Engineer, ArcSight. Sales Engineer, ArcSight

ORACLE DBA I. Exploring Oracle Database Architecture

Course: Oracle Database 12c R2: Administration Workshop Ed 3

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

Oracle Secure Backup: Achieve 75 % Cost Savings with Your Tape Backup

An Oracle White Paper July Methods for Downgrading from Oracle Database 11g Release 2

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

Simon Pane First4 Database Partners March 15, 2012

Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

HIPAA Compliance Checklist

An Oracle White Paper September Security and the Oracle Database Cloud Service

Oracle DB in der Oracle Cloud Überblick und Praxis

Oracle 10g Database Upgrade and Migration

MDCStore 2.0 DATABASE. Installation Guide

Securing Oracle 12 Multitenant Pluggable Databases

Transcription:

DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 1

<Insert Picture Here> Increased Data Security for SAP systems from Oracle Database Vault and Transparent Data Encryption Andreas Becker Principal Member Technical Staff Oracle/SAP Development, St. Leon-Rot

Agenda Introduction Oracle Transparent Data Encryption TDE TDE and SAP Oracle Database Vault Database Vault Database Vault and SAP Appendix <Insert Picture Here> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 3

<Insert Picture Here> Introduction DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 4

Database Security Aspects Data Access Who is entitled to access data? Data Encryption Use of encryption Which data to encrypt Key management, Oranisational measures User management (create user, lock user, ) Software management (install, patch, link ) Physical access to server / Logon to server Auditing DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 5

Database Security Aspects Software / Software Installation Software owner: who installs the software Operating System users Groups privileges User and passwords (OS and DB) Database Parameters remote_os_authent Database users Status Passwords Roles and privileges DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 6

<Insert Picture Here> Oracle Customer requirements DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 7

SAP-Kunde K. bei <...> haben zu viele Personen Zugriff auf sensible Daten, wie etwa Einkaufskonditionen, Gehaltsdaten usw. Wir möchten die Anzahl der unberechtigten Zugriffe auf Null reduzieren und gleichzeitig unsere DBA- und Systemadministratoren aus der Schusslinie bringen. Wir wollen daher Daten, die wir als kritisch erkannt haben, im Rahmen eines ganzheitlichen Schutzkonzepts überall dort verschlüsseln, wo sie persistent gespeichert werden. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 8

SAP-Kunde K. Bei <...> haben zu viele Personen Zugriff auf sensbile Daten, wie Einkaufs- oder Personaldaten. Um die unberechtigten Zugriffe auf Null zu reduzieren, ist einerseits der Zugriff innerhalb der Applikationsschicht durch ein wirksames Berechtigungskonzept einzuschränken. In den darunterliegenden Schichten, insbesondere für die Datenbank- und Storageschicht, ist sind diese Daten durch ein Schutz- und Verschlüsselungskonzept nicht direkt verwertbar zu machen. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 9

Customer question: We would like to encrypt our critical SAP data so that the administrators can not access them. Can we use TDE to address this point and what are the prerequisites? DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 10

<Insert Picture Here> JP Morgan Client Data Loss The Wall Street Journal, May 2007 JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as well as some of its own employees, that it cannot locate a computer tape containing their account information and Social Security numbers. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 11

http://www.financialnews-us.com /?page=ushome&contentid=2347681605 <Insert Picture Here> JP Morgan Client Data Loss The Wall Street Journal, May 2007 JP Morgan client data loss 01 May 2007 JP Morgan loses clients' datathe Wall Street Journal JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as well as some of its own employees, that it ca not locate a computer tape containing their account information and Social Security numbers. The tape, which was in a locked container, was being transported from a bank location to an off-site facility last month when it went astray, a JP Morgan spokesman said. It is not clear if the tape arrived at its destination or was lost along the way. The tape contained data from JP Morgan's private-client services business, which provides financial services to clients who have a net worth of between $1m ( 733,135) and $25m, the spokesman said. The tape also included data belonging to JP Morgan employees. Some 47,000 accounts were affected. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 12

http://www.zdnet.co.uk/news/security/2011/01/14/ enisa-telecoms-companies-are-wary-of-data-breach-law-40091437/ <Insert Picture Here> Enisa: Telecoms companies are wary of data breach law "Every day there seems to be headlines that personal data has been leaked, that someone has found a laptop on a train," Enisa data-breach expert Sławomir Górniak told ZDNet UK. Organisations must gain public trust that personal data will not be divulged, otherwise they risk hindering the take-up of innovative technologies, according to Enisa. Measures such as encryption can mitigate the risk, said Górniak. "If you lose a laptop, and it's encrypted, and you have the keys, then this is not a data breach," he said. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 13

http://www.zdnet.co.uk/news/security/2010/12/23 /hospital-trust-reports-data-breach-to-1500-patients-40091245/ <Insert Picture Here> Hospital trust reports data breach to 1,500 patients "At the end of November it was found that part of an electromyography (EMG) machine, a computer which drives it, had been taken from a locked office in the neurophysiology department at Calderdale Royal Hospital," Yvette Oade, the medical director for the trust, said. "We have written to some of the department's patients because limited personal data, such as names and dates of birth, was on the password protected computer," she said. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 14

<Insert Picture Here> Transparent Data Encryption (TDE) DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 15

The Need for Encryption Worldwide privacy, security laws and regulations Sarbanes-Oxley PCI (Payment Card Industrie) California SB 1386 (Nationwide soon?) Country-specific laws Customer Credit Card Numbers Disks replaced for maintenance Data worthless if encrypted Laptops stolen Backups lost DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 16

Database Encryption Oracle8i, Oracle9i and Oracle Database 10g provided a PL/SQL API for encrypting data in the Enterprise Edition DBMS_OBFUSCATION_TOOLKIT in Oracle9i, Oracle10g DBMS_CRYPTO in Oracle Database 10g Application calls PL/SQL API to perform encryption Typically requires database triggers, database Views No automated key management Note that most 3 rd party solutions today create triggers and views to make their encryption solution look transparent Oracle encryption API s are used by customers today to encrypt credit card numbers was never used or supported in SAP environments DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 17

What our customers wanted Privacy / regulatory compliance (SB 1386, CISP/PCI) Protection for data on backup tapes Additional protection against operating system / data file theft Media theft / disk replacement Let the database handle all aspects of encryption, not the application Make it easy and secure DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 18

Transparent Data Encryption Integrated with the Oracle database for simplicity Alter table encrypt column Provides application transparency No API calls, database triggers or views required Media protection of PII data Social security numbers Credit Card Numbers Performance Works with existing indexes for equality searches DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 19

TDE Key Features Key Features: Transparent for the application Encrypts data on disk Encryption & Decryption is automatically performed by Oracle Table column level (10.2) or tablespace level (11.2 or higher) Simple SQL Syntax TDE Keys are managed by Oracle Protects unauthorized access to database on file system level/ OS level Small administration overhead No views or triggers Prerequisites: Oracle Enterprise Edition Advanced Security Option (ASO) DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 20

Overview the Big Picture Oracle Advanced Security Strong Authentication Data Automatically Decrypted Through SQL Interface Oracle Advanced Security Network Encryption Data Written To Disk Automatically Encrypted Oracle Advanced Security Transparent Data Encryption Data Encrypted On Backup Files DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 21

Separation of duties DBA starts up Database Wallet password is separate from System or DBA password No access to wallet Security DBA opens wallet containing master key DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 22

Master key and column keys Column keys encrypted by master key Master key stored in PKCS#12 wallet Security DBA opens wallet containing master key Column keys encrypt data in columns DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 23

Transparent Data Encryption (TDE) TDE Column-Level 10.2 TDE Tablespace-Level 11.2 SAP notes: Note 974876 - Transparent Data Encryption (TDE) Note 1324930 - Creating encrypted EXPDP exports with BRSPACE Note 1324684 - Creating encrypted RMAN backups using BR*Tools Note 1279682 - Support for Oracle data encryption in BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 24

Encrypting columns Encrypt a column in an existing table: alter table credit_rating modify (person_id encrypt); Create a new table with an encrypted column: create table orders ( order_id number(12), customer_id number(12), credit_card varchar2(16) encrypt); DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 25

Encrypted Tablespaces OS> brspace -f tscreate -encryption yes SQL> 'create tablespace PSAPSR3TESTENC extent management local autoallocate segment space management auto encryption default storage (encrypt) datafile '/oracle/qo1/sapdata4/sr3testenc_1/sr3testenc.data1' size 20M; DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 26

Transparent Data Encryption Configuration steps Column Encryption 1. Setup and initialize Wallet and Master Key 2. Identify tables and columns containing sensitive data 3. Check TDE column-level restrictions Data type supported? Used in index? 1. Encrypt table column Online redefinition DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 27

Transparent Data Encryption Configuration steps for Encrypted Tablespaces 1. Setup and initialize Wallet and Master Key 2. Create new encrypted tablespace 3. Move tables and indexes into encrypted tablespace 4. Drop old tablespace when empty (without datafiles) 5. Overwrite datafiles of old tablespace using a secure method DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 28

Transparent Data Encryption Managing Clear text Copies (ghost copies) 1. Drop old tablespace without datafiles SQL> DROP TABLESPACE <tablespace_name> INCLUDING CONTENTS KEEP DATAFILES (BRSPACE-Option: -KDF) 2. Overwrite blocks using a secure OS method http://www.oracle.com/technetwork/database/ DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 29

Transparent Data Encryption Recommendations Do not misuse TDE as an authorization methode Do not encrypt all your data only data which needs to be protected To avoid Data Loss: NEVER LOOSE YOUR WALLET!! BACKUP YOUR WALLET!! NEVER FORGET OR LOOSE YOUR WALLET PASSWORD! DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 30

Transparent Data Encryption Rekey Rekey Operations (column level) Master key: not too often (regularly / once a year) Maximum number of TDE master keys is limited (by wallet size) Column Key: depending on your regulations Full table update Rekey Operations (tablespace level) create new encrypted tablespace and move segments into the new tablespace DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 31

<Insert Picture Here> Transparent Data Encryption (TDE) in SAP Environments DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 32

Transparent Data Encryption (TDE) TDE Column-Level 10.2 TDE Tablespace-Level 11.2 SAP notes: Note 974876 - Transparent Data Encryption (TDE) Note 1324930 - Creating encrypted EXPDP exports with BRSPACE Note 1324684 - Creating encrypted RMAN backups using BR*Tools Note 1279682 - Support for Oracle data encryption in BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 33

Transparent Data Encryption Recommendations (cont d) Wallet Management Change of wallet password via Wallet manager or BRSPACE One Encryption Wallet per Database Do not use autologin wallet No support for multiple encryption_wallet_location Only one wallet location in sqlnet.ora DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 34

TDE in an SAP environment TDE Candidates Do NOT encrypt tables belonging to SAP core application SAP system should be startable without wallet Do not encrypt tables used by BR*Tools Do not encrypt all tables (~100 should be enough) When column is used in an index non-salted DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 35

TDE Support in SAP BR*TOOLS (10.2) Backup of Oracle Wallet (brbackup) Restore of Oracle Wallet (brrestore) Wallet name: ewallet.p12 Wallet Location in SAP environment: sqlnet.ora: encryption_wallet_location must be set to $ORACLE_HOME/dbs (Unix) $ORACLE_HOME/database (Windows) Auto-Login-Wallet (cwallet.sso) is not supported by BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 36

TDE Support in SAP BR*TOOLS (11.2) SAP note 1279682 (brspace f mdencr) Open wallet /Close wallet Create wallet / Delete wallet Save wallet Change wallet password Create new master key Rekey table Enable auto-open wallet / Disable auto-open wallet Display wallet information / wallet status Get list of encrypted table columns Get list of encrypted tablespaces Automatic management of wallet copies, backups and password verifications DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 37

TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 293> brtools -V BR0651I BRTOOLS 7.20 (10) Patch Date Info 1 2010-01-26 BR*Tools support for Oracle 11g (note 1430669) 9 2010-10-27 BR*Tools support for esourcing databases (note 1523205) release note 1428529 kernel release 720 patch date 2010-11-24 patch level 10 make platform rs6000_64 make mode OCI_102 make date Jan 5 2011 isi055:oraqo1 294> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 38

TDE Support in SAP BR*TOOLS (11.2) DEMO: CREATE ENCRYPTION WALLET DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 39

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- BR*Tools main menu 1 = Instance management 2 - Space management 3 - Segment management 4 - Backup and database copy 5 - Restore and recovery 6 - Check and verification 7 - Database statistics 8 - Additional functions 9 - Exit program Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 40

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- Database instance management 1 = Start up database 2 - Shut down database 3 - Alter database instance 4 - Alter database parameters 5 - Recreate database 6 - Manage online redolog 7 - Manage data encryption 8 - Show instance status 9 - Show database parameters 10 - Show database owners 11 - Reset program status Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- BR0662I Enter your choice: 7 DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 41

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- BRSPACE options for manage data encryption 1 - BRSPACE profile (profile)... [initqo1.sap] 2 - Database user/password (user)... [/] 3 ~ Manage encryption action (action)... [] 4 ~ Encrypted tables for re-key (table). [] 5 - Confirmation mode (confirm)... [yes] 6 - Extended output (output)... [no] 7 - Message language (language)... [E] 8 - BRSPACE command line (command)... [-p initqo1.sap -l E -f mdencr] Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- BR0662I Enter your choice: 3 BR0280I BRTOOLS time stamp: 2011-01-18 17.37.54 BR0663I Your choice: '3' BR0681I Enter string value for "action" (open close create delete save newkey rekey enable disable display show list) []: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 42

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- Manage data encryption main menu 1 - Open encryption wallet 2 - Close encryption wallet 3 - Create encryption wallet 4 - Delete encryption wallet 5 - Save encryption wallet 6 - Change wallet password 7 - Generate new master key 8 - Re-key encrypted tables 9 + Additional actions 10 = Exit program 11 - Reset program status Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 43

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [NOT_AVAIL] 4 * Manage encryption action (action)... [create] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 - SQL command (command)... [alter system set encryption key identified by "*********"] Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 44

TDE Support in SAP BR*TOOLS (11.2) SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER ------------------------------------------------------------- ------------------- STATUS ------------------ file /oracle/qo1/112_64/dbs CLOSED DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 45

TDE Support in SAP BR*TOOLS (11.2) BR0280I BRSPACE time stamp: 2011-01-18 18.01.44 BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: 2011-01-18 18.01.44 BR0370I Directory /oracle/qo1/sapwallet created BR0370I Directory /oracle/qo1/sapwallet/sefarbnu created BR0280I BRSPACE time stamp: 2011-01-18 18.01.45 BR1016I SQL statement 'alter system set encryption key identified by "*********"' executed successfully BR1714I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 created successfully BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/112_64/dbs/ewallet.cpy... BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/sapwallet/sefarbnu/ewallet.new... BR0280I BRSPACE time stamp: 2011-01-18 18.01.45 BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 46

TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 384> ls -l $ORACLE_HOME/dbs total 184 -rw-r--r-- 1 oraqo1 dba 1573 Jan 18 18:01 ewallet.cpy -rw-r--r-- 1 oraqo1 dba 1573 Jan 18 18:01 ewallet.p12 -rw-rw---- 1 oraqo1 dba 1544 Jan 14 09:44 hc_dbua0.dat -rw-rw---- 1 oraqo1 dba 1544 Jan 18 18:00 hc_qo1.dat -rw-r--r-- 1 oraqo1 dba 2851 May 15 2009 init.ora -rw-r----- 1 oraqo1 dba 999 Jan 14 09:47 initqo1.ora -rw-r-xr-x 1 oraqo1 dba 21821 Sep 22 16:58 initqo1.sap -rw-r----- 1 oraqo1 dba 24 Jan 11 15:26 lkqo1 -rwsr----- 1 oraqo1 dba 2048 Jan 14 09:47 orapwqo1 -rw-r----- 1 oraqo1 dba 5632 Jan 14 10:05 spfileqo1.ora isi055:oraqo1 385> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 47

TDE Support in SAP BR*TOOLS (11.2) SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS --------- ---------------------- ------------- File /oracle/qo1/112_64/dbs OPEN DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 48

TDE Support in SAP BR*TOOLS (11.2) DEMO: Open/Close Wallet DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 49

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [OPEN] 4 * Manage encryption action (action)... [close] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 - SQL command (command)... [alter system set encryption wallet close identified by "*********"] Standard keys: c - cont, b - back, s - stop, r - refr, h - help --------------------------------------------------------------------- BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 50

TDE Support in SAP BR*TOOLS (11.2) BR0662I Enter your choice: c BR0280I BRSPACE time stamp: 2011-01-19 16.43.27 BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: 2011-01-19 16.43.27 BR1016I SQL statement 'alter system set encryption wallet close identified by "*********"' executed successfully BR1713I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 closed successfully BR0280I BRSPACE time stamp: 2011-01-19 16.43.27 BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 51

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- --------- Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [CLOSED] 4 * Manage encryption action (action)... [open] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [******] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 - SQL command (command)... [alter system set encryption wallet open identified by "*********"] Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- --------- BR0662I Enter your choice: c DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 52

TDE Support in SAP BR*TOOLS (11.2) BR0280I BRSPACE time stamp: 2011-01-19 16.44.04 BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: 2011-01-19 16.44.04 BR1016I SQL statement 'alter system set encryption wallet open identified by "*********"' executed successfully BR1712I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 opened successfully BR0280I BRSPACE time stamp: 2011-01-19 16.44.04 BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 53

TDE Support in SAP BR*TOOLS (11.2) DEMO: Change Wallet Password DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 54

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [OPEN] 4 * Manage encryption action (action)... [chpass] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 - New wallet password (newpass)... [***********] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 # Local auto-open wallet (local)... [yes] 11 # SQL command (command)... [] Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- BR0662I Enter your choice: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 55

TDE Support in SAP BR*TOOLS (11.2) BR0662I Enter your choice: c BR0280I BRSPACE time stamp: 2011-01-19 16.46.34 BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: 2011-01-19 16.46.34 BR0370I Directory /oracle/qo1/sapwallet/sefavtab created BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/sapwallet/sefavtab/ewallet.old... BR0280I BRSPACE time stamp: 2011-01-19 16.46.44 BR1722I Encryption wallet password changed successfully BR1705I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 is open DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 56

TDE Support in SAP BR*TOOLS (11.2) BR1721I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 will be closed and reopened now BR0280I BRSPACE time stamp: 2011-01-19 16.46.44 BR0675I This is a recommended action - do you want to execute it now? BR0676I Enter 'y[es]/c[ont]' to execute the action, 'n[o]' to skip it, 's[top]' to abort: y BR0280I BRSPACE time stamp: 2011-01-19 16.47.04 BR1713I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 closed successfully BR0280I BRSPACE time stamp: 2011-01-19 16.47.04 BR1712I Encryption wallet /oracle/qo1/112_64/dbs/ewallet.p12 opened successfully BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/112_64/dbs/ewallet.cpy... BR0202I Copying /oracle/qo1/112_64/dbs/ewallet.p12 BR0203I to /oracle/qo1/sapwallet/sefavtab/ewallet.new... DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 57

TDE Support in SAP BR*TOOLS (11.2) DEMO: Create auto-open wallet DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 58

TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 388> ls -ltr total 184 -rw-r--r-- 1 oraqo1 dba 2851 May 15 2009 init.ora -rw-r-xr-x 1 oraqo1 dba 21821 Sep 22 16:58 initqo1.sap -rw-r----- 1 oraqo1 dba 24 Jan 11 15:26 lkqo1 -rw-r----- 1 oraqo1 dba 5632 Jan 14 10:05 spfileqo1.ora -rw------- 1 oraqo1 dba 1574 Jan 19 16:48 ewallet.p12 -rw-r--r-- 1 oraqo1 dba 1574 Jan 19 16:48 ewallet.cpy -rw-rw---- 1 oraqo1 dba 1544 Jan 19 16:48 hc_qo1.dat isi055:oraqo1 389> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 59

TDE Support in SAP BR*TOOLS (11.2) ------------------------------------------------------------- Additional data encryption actions 1 - Enable auto-open wallet 2 - Disable auto-open wallet 3 - Display database wallet info 4 - Show encryption status 5 - List encrypted tables/columns 6 - List encrypted tablespaces 7 - Main actions Standard keys: c - cont, b - back, s - stop, r - refr, h - help ------------------------------------------------------------- DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 60

TDE Support in SAP BR*TOOLS (11.2) ---------------------------------------------------------------------- Options for managing data encryption of database QO1 1 * Database encryption wallet (wallet)... [/oracle/qo1/112_64/dbs/ewallet.p12] 2 * Database auto-open wallet (auto_wallet). [] 3 * Database wallet status (status)... [OPEN] 4 * Manage encryption action (action)... [enable] 5 # Encrypted tables for re-key (table)... [] 6 - Wallet password (password)... [*********] 7 # New wallet password (newpass)... [] 8 # Encryption algorithm (algorithm)... [] 9 # Force re-key action (force)... [no] 10 - Local auto-open wallet (local)... [yes] 11 # SQL command (command)... [] Standard keys: c - cont, b - back, s - stop, r - refr, h - help ---------------------------------------------------------------------- BR0662I Enter your choice: c DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 61

TDE Support in SAP BR*TOOLS (11.2) BR0662I Enter your choice: c BR0280I BRSPACE time stamp: 2011-01-19 16.51.52 BR0663I Your choice: 'c' BR0259I Program execution will be continued... BR0280I BRSPACE time stamp: 2011-01-19 16.52.01 BR1726I Local auto-open wallet /oracle/qo1/112_64/dbs/cwallet.sso enabled successfully BR0280I BRSPACE time stamp: 2011-01-19 16.52.01 BR0256I Enter 'c[ont]' to continue, 's[top]' to cancel BRSPACE: DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 62

TDE Support in SAP BR*TOOLS (11.2) isi055:oraqo1 389> ls -ltr -rw------- 1 oraqo1 dba 1574 Jan 19 16:48 ewallet.p12 -rw-r--r-- 1 oraqo1 dba 1574 Jan 19 16:48 ewallet.cpy -rw-rw---- 1 oraqo1 dba 1544 Jan 19 16:49 hc_qo1.dat -rw------- 1 oraqo1 dba 1651 Jan 19 16:52 cwallet.sso isi055:oraqo1 390> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 63

Orapki (11.2) orapki is a command line tool for wallet management: Here are some orapki command line options: OS> orapki wallet help OS> orapki wallet display -wallet $ORACLE_HOME/dbs OS> orapki wallet change_pwd -wallet <wallet_location> [-oldpwd <oldpwd> -newpwd <newpwd>] Attention: you enter the new password just once To close the wallet, you need to use the old password from before the change OS> orapki wallet create -wallet <wallet_location> -auto_login OS> orapki wallet create -wallet <wallet_location> -auto_login_local DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 64

<Insert Picture Here> Database Vault (DV) DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 65

Oracle Database 11g Release 2 for SAP Security Aspects Data Access via SAP Interface SAP User & Privilege Management ABCDEFG DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 66

Oracle Database 11g Release 2 for SAP Security Aspects Direct Data Access via File Read Data Access via SAP Interface Oracle Advanced Security: Encryption SAP User & Privilege Management $8u?_3# DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 67

Oracle Database 11g Release 2 for SAP Security Aspects Direct Data Access via File Read Data Access via SAP Interface Direct Data Access via SQL Interface Oracle Advanced Security: Encryption SAP User & Privilege Management Oracle Database Vault: Access Control DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 68

Oracle Database Security for SAP Overview Transparent Data Encryption OS> SQLPLUS / AS SYSDBA SQL> SELECT * FROM SAPSR3.<table>; [Decrypted Result Set] Database Vault OS> SQLPLUS / as SYSDBA SQL> SELECT * FROM SAPSR3.<table>; ORA-01031: insufficient privileges DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 69

Oracle 10g Advanced Security Application Network Encryption Supported since February 2007 See SAP Note 973450 Database Server Instance Database Files Transparent Data Encryption Supported since February 2007 See SAP Note 974876 Database Backup Backup Set Encryption Using Oracle Recovery Manager (RMAN) See SAP Note 1324684 DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 70

Oracle 11g Advanced Encryption Column Encryption through TDE Client-Server (SAP App Server to Database) Network Encryption Tablespace Encryption DG Secure Network Transport RMAN Backup Encryption Expdp Encryption SecureFile (unstructured LOB data) encryption DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 71

Oracle Database Vault Addresses Compliance Regulations Insider Threats Need for Flexible Security Policies Consolidation Concerns Outsourcing Concerns DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 72

Oracle Database Vault Concepts Database Vault does not change Access rights based on DB object privileges Access rights based on application-specific rules Access rights based on operating system privileges (e.g. root, Oracle owner) Database Vault does Prevent data access based on DB system privileges (DBA role, SELECT ANY TABLE, UPDATE ANY TABLE, ) Replace these access rights by more flexible ones that are based on principles such as Separation of duties Dual key security etc. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 73

Oracle Database Vault for SAP Separation of Duties ALTER, DROP SELECT SOME_APP objects Application DBA Run application Application Users DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 74

Standard Database Vault Standard Database Vault comes with Everything needed to protect itself Everything needed to protect database system data (data dictionary) Standard Database Vault In most cases not ready to use Needs definition of additional policy components according to application needs and customer security requirements DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 75

Standard Database Vault Default Realms DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 76

Database Vault for SAP Oracle database Vault for SAP One of several application specific DV policy implementations delivered by Oracle in addition to Standard DV Makes use of the lessons learned in previous application specific policy implementations Can be enhanced by customer specific policy components DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 77

Oracle Database Vault for SAP Delivered Security Policies Protections Protection Realm for ABAP Stack Protection Realm for Java Stack Realm Owner Protects Protection Realm for SAP BR*Tools Credential Protection Realm Protection Realm for SAP Admin Roles SAP Application Account SAP Application Account SAPDBA Role SAPCRED Role SAPACCTMGR SAP business data SAP business data DB objects needed by SAP BR*Tools Data needed for credential management SAP administration roles (SAPCONN, SAPDBA, SAPCRED, SAPSYS) DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 78

High privileged users Privileges Access to all data in the database Encryption does not help here This is not an Oracle-only problem. Typical approach: Companies trust their DBAS. Oracle offers a solution with Database Vault Oracle is the only software vendor with such a solution DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 79

Oracle Database Vault Two main components REALMs Prevents objects from unprivileged access Command-Rules mit Rule Sets Restrict the execution of commands DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 80

<Insert Picture Here> Database Vault (DV) in SAP Environments DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 81

Oracle Database Vault für SAP DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 82 82

Oracle Database Accounts in SAP Separation of Duty Mapping User Name User Status Responsibility SAP<SAPSID> OPEN SAP application account for ABAP stack SAP<SAPSID>DB OPEN SAP application account for Java stack SECADMIN OPEN Database Vault Security Administrator SECANALYST OPEN Optional account for Database Vault reporting SECACCTMGR OPEN Database Vault Account Manager SAPACCTMGR OPEN Password Management for SAP accounts OPS$SAPSERVICE<SID > OPEN SAP Database Administration account OPS$ORA<SID> OPEN SAP Database Administration account OPS$<SID>ADM OPEN SAP Database Administration account SUPPORT_DBA LOCKE D To be used by Oracle Support and in emergency DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 83 83

<Insert Picture Here> DV Protection DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 84

Database Vault Show Protection Realm-Protection SECADMIN SQL> select * from sapsr3.t100; select * from sapsr3.t100 * ERROR at line 1: ORA-00942: table or view does not exist SECADMIN SQL> conn / as sysdba Connected. SYS AS SYSDBA SQL> select * from sapsr3.t100; select * from sapsr3.t100 * ERROR at line 1: ORA-01031: insufficient privileges SYS AS SYSDBA SQL> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 85

Database Vault Show Protection Command-Rule SYS AS SYSDBA SQL> conn sapsr3 Enter password: ERROR: ORA-47400: Command Rule violation for CONNECT on LOGON Warning: You are no longer connected to ORACLE. SQL> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 86

Database Vault Show Protection DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 87

<Insert Picture Here> DV SAP Policy Configuration DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 88

Database Vault SAP Policy SAP Note 1502374 -Database Vault Policy Scripts for SAP (11.2) DV policy scripts for SAP for configuration and administration Main script: dv_policy.sql Delivered as patch p9656644_112020_generic.zip Gets installed into <ORACLE_HOME>/sap/ora_dbvault Run by Security administrator SECADMIN SECADMIN needs access to the database on OS level to run the scripts create separate OS account Example: sqlplus secadmin/ @dv_policy policy create DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 89

Database Vault SAP Policy Supported options SECADMIN SQL> @dv_policy help DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <help>. DVINFO: Usage:. To manage Oracle Database Vault policies for SAP connect to the database from sqlplus as SECADMIN user or as another user with DV_ADMIN or DV_OWNER privilege and run dv_policy.sql as follows:. OS> sqlplus <user>[/<pwd>] @dv_policy <action> [<option>] DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 90

Database Vault SAP Policy Supported options Supported main actions: policy create policy delete policy enable policy disable policy status. help? version -> Create Database Vault Default Policies for SAP -> Delete Database Vault Default Policies for SAP -> Enable Database Vault Default Policies for SAP -> Disable Database Vault Default Policies for SAP -> Show current configuration status -> Show this help -> Show version info DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 91

Database Vault SAP Policy Supported options Supported actions for DV administration: patch enable -> Enable user SYS to patch the database patch disable -> Disable user SYS to patch the database patch status -> Show. user SYS' patch status export enable -> Enable user BRTDBA for data export export disable -> Disable user BRTDBA for data export import enable -> Enable user BRTDBA for data import import disable -> Disable user BRTDBA for data import export status -> Show current export/import status DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 92

Database Vault SAP Policy Supported options sapdba_role_install enable -> Enable user SYS to install SAPDBA role sapdba_role_install disable -> Disable user SYS to install SAPDBA role. commandrule connect enable -> Enable CONNECT command rule commandrule connect disable -> Disable CONNECT command rule. commandrule grant enable -> Enable GRANT command rule commandrule grant disable -> Disable GRANT command rule. default_realms enable -> Enable Database Vault Default R. default_realms disable -> Disable Database Vault Default R. default_realms status -> Status Database Vault Default R.. support_access enable -> Enable SAP support access support_access disable -> Disable SAP support access DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 93

Database Vault SAP Policy Install SAP DV Policy DEMO: Install SAP-specific Database Vault Protection DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 94

Database Vault SAP Policy Install SAP DV Policy SECADMIN SQL> @dv_policy policy create DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: Current date : 2011-01-19 18:57:59 DVINFO: Version : 11.2.0.2 DVINFO: Build : 003 DVINFO: Release date : 2010-Nov-05 DVINFO: Copyright (c) Oracle Corporation 2010. All Rights Reserved. DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <policy create>. DVINFO: DVINFO: ***** Database platform information ***** DVINFO: Operating system : HP-UX IA (64-bit)(4) DVINFO: Platform category : UNIX DVINFO: Unix platform : YES DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 95

Database Vault SAP Policy Install SAP DV Policy DVINFO: ***** Database Account Information ***** DVINFO: OPS$<SAPSID>ADM account(s): DVINFO: OPS$QO1ADM DVINFO: OPS$ORA<DBSID> account(s): DVINFO: OPS$ORAQO1 DVINFO: OPS$SAPSERVICE account(s): DVINFO: OPS$QO1ADM DVINFO: OPS$SAPSERVICEQO1 DVINFO: OPS$SR3ADM DVINFO: SAP Application user(s) (ABAP stack) DVINFO: SAPSR3 (ABAP stack) OPEN DVINFO: SAPSR5 (ABAP stack) OPEN DVINFO: SAP Application user(s) (JAVA stack) DVINFO: No users found. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 96

Database Vault SAP Policy Install SAP DV Policy DVINFO: ***** Creating DV rules ***** DVINFO: Rule name: <Allow SAP BR*Tools Processes Access for CONNECT command rule (1-sidadm)> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP BR*Tools Processes Access for CONNECT command rule (2-orasid)> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP BR*Tools Processes Access for CONNECT command rule (3-sapservicesid)> DVINFO: Rule created. DVINFO: Rule name: <Allow ABAP SAP Application Processes Access for CONNECT command rule> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP Administrators CONNECT command rule> DVINFO: Rule created. DVINFO: Rule name: <Allow SAP Administrators GRANT command rule> DVINFO: Rule created. Access for Access for DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 97

Database Vault SAP Policy Install SAP DV Policy- Steps DVINFO: ***** Creating DV rules *****... DVINFO: ***** Creating DV rule sets *****... DVINFO: ***** Adding DV rules to DV rule sets *****... DVINFO: ***** Creating DV realms *****... DVINFO: ***** Modifying DV Default realms *****... DVINFO: ***** Creating DV command rules *****... DVINFO: ***** Synchronizing rules *****... DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 98

Database Vault Default Realms DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 99

Database Vault SAP Realms (after policy create ) DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 100

Database Vault SAP Policy Installing a Patch (1/2) SECADMIN SQL> @dv_policy patch enable DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <patch enable>. DVINFO: DVINFO: ***** Disabling GRANT command rule ***** DVINFO: Command rule: <GRANT> DVINFO: Command rule disabled. DVINFO: ***** Enable Database Patching ***** DVINFO: This action grants the DV_PATCH_ADMIN role to SYS. DVINFO: This enables SYS to patch the database. DVINFO: DV_PATCH_ADMIN role granted to SYS. DVINFO: SYS is now enabled to install database patches. DVINFO: DVINFO: ***** Action ***** DVINFO: Database patching enabled. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 101

Database Vault SAP Policy Installing a Patch (2/2) SECADMIN SQL> @dv_policy patch disable DVINFO: DVINFO: ***** Oracle Database Vault 11.2 Policy for SAP ***** DVINFO: DVINFO: ***** Action ***** DVINFO: The selected action is <patch disable>. DVINFO: DVINFO: ***** Enabling GRANT command rule ***** DVINFO: Command rule: <GRANT> DVINFO: Command rule enabled. DVINFO: ***** Disable Database Patching ***** DVINFO: This action revokes the DV_PATCH_ADMIN role from SYS. DVINFO: DV_PATCH_ADMIN role revoked from SYS. DVINFO: DVINFO: ***** Action ***** DVINFO: Database patching disabled. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 102

<Insert Picture Here> DV Configuration and Administration with SAPspecific scripts DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 103

Database Vault Enable / Disable chopt - 11.2.0.1 OS> chopt usage: chopt <enable disable> <option> options: dm = Oracle Data Mining RDBMS Files dv = Oracle Database Vault option lbac = Oracle Label Security olap = Oracle OLAP partitioning = Oracle Partitioning rat = Oracle Real Application Testing e.g. chopt enable rat OS> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 104

Database Vault Enable / Disable chopt - 11.2.0.1 OS> chopt disable dv Writing to /oracle/qo1/112_64/install/disable_dv.log... %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk dv_off %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk ioracle OS> OS> chopt enable dv Writing to /oracle/qo1/112_64/install/enable_dv.log... %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk dv_on %s_unixosdmakepath% -f /oracle/qo1/112_64/rdbms/lib/ins_rdbms.mk ioracle OS> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 105

Database Vault Enable / Disable dv_status.sh / dv_enable.sh / dv_disable.sh OS>./dv_status.sh Checking Status of Oracle Database Vault Oracle Database Vault is disabled. Oracle Label Security is enabled. OS> OS>./dv_status.sh Checking Status of Oracle Database Vault Oracle Database Vault is enabled. Oracle Label Security is enabled. OS> DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 106

Database Vault Enable / Disable dv_status.sh / dv_enable.sh / dv_disable.sh OS>./dv_enable.sh Enabling Oracle Database Vault /usr/ccs/bin/ar d /oracle/qo1/112_64/rdbms/lib/libknlopt.a kzvndv.o /usr/ccs/bin/ar cr /oracle/qo1/112_64/rdbms/lib/libknlopt.a /oracle/qo1/112_64/rdbms/lib/kzvidv.o /usr/ccs/bin/ar cr /oracle/qo1/112_64/rdbms/lib/libknlopt.a /oracle/qo1/112_64/rdbms/lib/kzlilbac.o - Linking Oracle rm -f /oracle/qo1/112_64/rdbms/lib/oracle... test! -f /oracle/qo1/112_64/bin/oracle \ mv -f /oracle/qo1/112_64/bin/oracle /oracle/qo1/112_64/bin/oracleo mv /oracle/qo1/112_64/rdbms/lib/oracle /oracle/qo1/112_64/bin/oracle chmod 6751 /oracle/qo1/112_64/bin/oracle DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 107

<Insert Picture Here> Appendix DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 108

<Insert Picture Here> SAP Notes DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 109

SAP Notes on Transparent Data Encryption SAP Support Portal http://service.sap.com/notes Note 974876 - Transparent Data Encryption (TDE) Note 1324930 - Creating encrypted EXPDP exports with BRSPACE Note 1324684 - Creating encrypted RMAN backups using BR*Tools Note 1279682 - Support for Oracle data encryption in BR*Tools DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 110

SAP Notes on Oracle Network Encryption SAP Support Portal http://service.sap.com/notes Note 973450 - Oracle Advanced Security: Network encryption DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 111

SAP Notes on Database Vault SAP Support Portal http://service.sap.com/notes Note 1355140 - Using Oracle Database Vault in an SAP environmen Note 1502377 - Enabling and Disabling Database Vault (11.2) Note 1503634 - FAQ: Oracle Database Vault Note 1502374 - Database Vault Policy Scripts for SAP (11.2) DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 112

SAP Notes on Secure Database Configuration SAP Support Portal http://service.sap.com/notes Note 834917 - Oracle Database 10g: New database role SAPCONN Note 1519872 - SAP Database User Profile SAPUPROF Note 1522952 - Password Complexity Verification Function DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 113

SAP Community Network SAP on Oracle Database http://www.sdn.sap.com/irj/sdn/ora DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 114

<Insert Picture Here> My Oracle Support Notes DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 115

My Oracle Notes on Transparent Data Encryption https://support.oracle.com Master Note For Transparent Data Encryption [ID 1228046.1] 10g R2 New Feature TDE : Transparent Data Encryption [ID 317311.1] 10gR2: How to Export/Import with Data Encrypted with Transparent Data Encryption (TDE) [ID 317317.1] Quick and dirty TDE Setup and FAQ [ID 1251597.1] 11g New Feature : Transparent Data Encryption at Tablespace Level [ID 432776.1] DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 116

My Oracle Notes on Database Vault https://support.oracle.com Master Note For Oracle Database Vault [ID 1195205.1] How To Enable And/Or Disable Oracle Database Vault [ID 453902.1] Installing Database Vault in a Data Guard Environment [ID 754065.1] How To Uninstall Or Reinstall Database Vault in 11g [ID 803948.1] DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 117

Learn More http://support.oracle.com Search Knowledge Base database vault Transparent data encryption DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 118

Learn More http://search.oracle.com database security Technology Overview Visit: http://www.oracle.com/database/security http://www.oracle.com/us/products/database/security/index.html View Whitepapers and webinars Technical Information, Demos, Software Visit OTN: http://www.oracle.com/technetwork/database/security/index.html DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 119

<Insert Picture Here> Oracle Technology Network DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 120

Oracle Technology Network TDE Best Practices January 2011 version of the TDE best practices paper http://www.oracle.com/technetwork/database/security/twp-tra New support for TDE column encryption and TDE tablespace encryption with Oracle Golden Gate In the Dec. 2010 update, an ACFS access control policy in Oracle RAC 11.2.0.2 that only allows the Oracle instance access to the Oracle Wallet (neither the oracle user, nor 'root') was introduced. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 121

Oracle Technology Network Database Vault Best Practices DBA Administrative Best Practices with Oracle Database Vault http://www.oracle.com/technetwork/database/security/twp-databasev DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 122

SEC_RITY IS NOT COMPLETE WITHOUT U! DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 123

We encourage you to use the newly minted corporate tagline Hardware and Software, Engineered to Work Together. at the end of all your presentations. This message should replace any reference to our previous corporate tagline Hardware. Software. Complete. DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 124

DOAG Regionaltreffen Rhein-Neckar 20. Januar 2011 125

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback