Solved

Secure Oracle Wallet

Posted on 2015-02-05
8
511 Views
Last Modified: 2015-02-11
Looking for some best practice approach to secure oracle wallet, here is from Oracle:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13017

But need to secure at Exadata too, plus @ single instance db.

Would like to explore, what others are using/experiencing, because need to setup asap, and I think we  can not use ACFS, as recommended by Oracle, please share your thoughts, what are our best/possible options for Exadata & single instance too.

Thanks in advance.
0
Comment
Question by:mkhandba
  • 5
  • 3
8 Comments
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40593172
Likely you may consider looking at Oracle Key Vault for more collectively key protection and management since it can centrally manage both the Oracle Wallets and TDE/ACFS master keys on Exadata. Indeed, the TDE master key used for TDE typically can be stored in Oracle Wallet or even at Oracle Key Vault itself.

If via the wallet, there is a Oracle practice in "Protecting the Oracle Wallet with ACFS access controls" (pg 21) which you can catch if not done so. It is implemented using the ACFS Security feature starting with Oracle Database 11.2.0.2 on Linux and 11.2.0.3 on Windows. The TDE Wallet can be protected by the realm too so that the ‘oracle’ OS user, as well as ’secadmin’ and ‘root’, have neither read nor write privileges on the TDE wallet; only the Oracle Database can open and close the wallet, and re-key the TDE master encryption key.

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
0
 

Author Comment

by:mkhandba
ID: 40593836
thanks for this btan, but can you please share something on Exadata too, how to secure the same over there ... much appreciated.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40593846
it is as mentioned in the pdf - "Protecting the Oracle Wallet with ACFS access controls" (pg 21), do check it out
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40595068
another useful ACDF reference is the below in pg 6 for protecting TDE wallet on the ACFS file system. quick summary steps as below and you can test to access using just ls, or vi, as example on the TDE wallet as root or security administrator, and it should reject attempt with errors. This is due to rule set to only Oracle binary to access the wallet.
1. Create a realm to protect wallet
2. Create a rule for the various application access only
3. Create a ruleset for the protected ACDF mounted
4. Add the rule in the ruleset
5. Specify option ALL for the ruleset in the designated data wallet

http://www.oracle.com/technetwork/database/cloud-storage/acfs-security-encryption-514418.pdf
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:mkhandba
ID: 40596738
thanks btan for these doc links, they are very helpful.

Just one last confirmation because, for single instance and RAC all looks good, but the same question, for Exadata, still I'm confuse, because in this FAQ/article:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A15035

Under How is the TDE wallet protected?

It is clearly saying that: but not Exadata X2), please advise.

Also don't know how to know/check my Exadata version, can you please tell me how to check, what is my Exadata version X2 or ... ?

And thanks again for your help.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40596813
Thanks it does wonder why the FAQ states that, and my reading for that is ACFS is not supported in Exadata.
e.g. Exadata uses ASM, but it does not support ACFS, only DBFS. From forum (old though) it also stated ACFS requires that LUNs be presented to ASM but Exadata presents Grid Disks, not LUNs. https://community.oracle.com/thread/1093038

Since the FAQ make it stands as mentioned, I believe it may still be valid stand of not supported for ExaData though it stated ExaData X2. Regardless, that will best advised by Oracle support themselves to give assurances on any changes through the many years... I see and other blog stated it too
if the wallet is being created on a database server, it is recommended to store the Oracle Wallet in Oracle ACFS (i.e. /u02/app/oracle/wallet/) when ACFS is available. This applies to single instance, RAC one node, multi-node RAC, but not Exadata X2 configurations. Oracle ACFS is cluster file system on top of ASM and provides new Security features like excellent wallet protection and separation of duties.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml

Regardless, TDE wallet is still supported in Exadata. Hence in safeguarding wallet, I see the additional aspect for ExaData is really to leverage on the onboard AES-NI crypto card. It is not only benefiting the  hardware crypto acceleration but also a more tamper proof storage of the key compared to just a file in file storage.  Otherwise, there is no any differences from the wallet checks  and the TDE best practice guide (2012) still applicable, see the "TDE Wallet Management" section just not having to benefit from the ACFS additional access control. There is a "Exadata Database Machine" section in the guide too.
http://www.oracle.com/technetwork/database/focus-areas/security/twp-transparent-data-encryption-bes-130696.pdf&embedded=true

As for the version checking, I believe this will advise the command
to run "grep OneCommand /opt/oracle.SupportTools/onecommand/preconf.csv" from the first compute node
https://community.oracle.com/thread/2511512
0
 

Author Comment

by:mkhandba
ID: 40599995
thanks btan, this is really great, but need some time to look into it.

But need a favor btan, can you please look at my other question:
http://www.experts-exchange.com/Database/Oracle/Q_28612580.html

Need your input/thoughts over there, if possible.

thanks again, will get back soon.
0
 
LVL 62

Expert Comment

by:btan
ID: 40600765
hope it helps - likewise try my best in the other query you stated
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now