• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Secure Oracle Wallet

Looking for some best practice approach to secure oracle wallet, here is from Oracle:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13017

But need to secure at Exadata too, plus @ single instance db.

Would like to explore, what others are using/experiencing, because need to setup asap, and I think we  can not use ACFS, as recommended by Oracle, please share your thoughts, what are our best/possible options for Exadata & single instance too.

Thanks in advance.
0
Mushfique Khan
Asked:
Mushfique Khan
  • 5
  • 3
4 Solutions
 
btanExec ConsultantCommented:
Likely you may consider looking at Oracle Key Vault for more collectively key protection and management since it can centrally manage both the Oracle Wallets and TDE/ACFS master keys on Exadata. Indeed, the TDE master key used for TDE typically can be stored in Oracle Wallet or even at Oracle Key Vault itself.

If via the wallet, there is a Oracle practice in "Protecting the Oracle Wallet with ACFS access controls" (pg 21) which you can catch if not done so. It is implemented using the ACFS Security feature starting with Oracle Database 11.2.0.2 on Linux and 11.2.0.3 on Windows. The TDE Wallet can be protected by the realm too so that the ‘oracle’ OS user, as well as ’secadmin’ and ‘root’, have neither read nor write privileges on the TDE wallet; only the Oracle Database can open and close the wallet, and re-key the TDE master encryption key.

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
0
 
Mushfique KhanDirector OperationsAuthor Commented:
thanks for this btan, but can you please share something on Exadata too, how to secure the same over there ... much appreciated.
0
 
btanExec ConsultantCommented:
it is as mentioned in the pdf - "Protecting the Oracle Wallet with ACFS access controls" (pg 21), do check it out
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
btanExec ConsultantCommented:
another useful ACDF reference is the below in pg 6 for protecting TDE wallet on the ACFS file system. quick summary steps as below and you can test to access using just ls, or vi, as example on the TDE wallet as root or security administrator, and it should reject attempt with errors. This is due to rule set to only Oracle binary to access the wallet.
1. Create a realm to protect wallet
2. Create a rule for the various application access only
3. Create a ruleset for the protected ACDF mounted
4. Add the rule in the ruleset
5. Specify option ALL for the ruleset in the designated data wallet

http://www.oracle.com/technetwork/database/cloud-storage/acfs-security-encryption-514418.pdf
0
 
Mushfique KhanDirector OperationsAuthor Commented:
thanks btan for these doc links, they are very helpful.

Just one last confirmation because, for single instance and RAC all looks good, but the same question, for Exadata, still I'm confuse, because in this FAQ/article:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A15035

Under How is the TDE wallet protected?

It is clearly saying that: but not Exadata X2), please advise.

Also don't know how to know/check my Exadata version, can you please tell me how to check, what is my Exadata version X2 or ... ?

And thanks again for your help.
0
 
btanExec ConsultantCommented:
Thanks it does wonder why the FAQ states that, and my reading for that is ACFS is not supported in Exadata.
e.g. Exadata uses ASM, but it does not support ACFS, only DBFS. From forum (old though) it also stated ACFS requires that LUNs be presented to ASM but Exadata presents Grid Disks, not LUNs. https://community.oracle.com/thread/1093038

Since the FAQ make it stands as mentioned, I believe it may still be valid stand of not supported for ExaData though it stated ExaData X2. Regardless, that will best advised by Oracle support themselves to give assurances on any changes through the many years... I see and other blog stated it too
if the wallet is being created on a database server, it is recommended to store the Oracle Wallet in Oracle ACFS (i.e. /u02/app/oracle/wallet/) when ACFS is available. This applies to single instance, RAC one node, multi-node RAC, but not Exadata X2 configurations. Oracle ACFS is cluster file system on top of ASM and provides new Security features like excellent wallet protection and separation of duties.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml

Regardless, TDE wallet is still supported in Exadata. Hence in safeguarding wallet, I see the additional aspect for ExaData is really to leverage on the onboard AES-NI crypto card. It is not only benefiting the  hardware crypto acceleration but also a more tamper proof storage of the key compared to just a file in file storage.  Otherwise, there is no any differences from the wallet checks  and the TDE best practice guide (2012) still applicable, see the "TDE Wallet Management" section just not having to benefit from the ACFS additional access control. There is a "Exadata Database Machine" section in the guide too.
http://www.oracle.com/technetwork/database/focus-areas/security/twp-transparent-data-encryption-bes-130696.pdf&embedded=true

As for the version checking, I believe this will advise the command
to run "grep OneCommand /opt/oracle.SupportTools/onecommand/preconf.csv" from the first compute node
https://community.oracle.com/thread/2511512
0
 
Mushfique KhanDirector OperationsAuthor Commented:
thanks btan, this is really great, but need some time to look into it.

But need a favor btan, can you please look at my other question:
http://www.experts-exchange.com/Database/Oracle/Q_28612580.html

Need your input/thoughts over there, if possible.

thanks again, will get back soon.
0
 
btanExec ConsultantCommented:
hope it helps - likewise try my best in the other query you stated
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now