Solved

Secure Oracle Wallet

Posted on 2015-02-05
8
525 Views
Last Modified: 2015-02-11
Looking for some best practice approach to secure oracle wallet, here is from Oracle:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13017

But need to secure at Exadata too, plus @ single instance db.

Would like to explore, what others are using/experiencing, because need to setup asap, and I think we  can not use ACFS, as recommended by Oracle, please share your thoughts, what are our best/possible options for Exadata & single instance too.

Thanks in advance.
0
Comment
Question by:mkhandba
  • 5
  • 3
8 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40593172
Likely you may consider looking at Oracle Key Vault for more collectively key protection and management since it can centrally manage both the Oracle Wallets and TDE/ACFS master keys on Exadata. Indeed, the TDE master key used for TDE typically can be stored in Oracle Wallet or even at Oracle Key Vault itself.

If via the wallet, there is a Oracle practice in "Protecting the Oracle Wallet with ACFS access controls" (pg 21) which you can catch if not done so. It is implemented using the ACFS Security feature starting with Oracle Database 11.2.0.2 on Linux and 11.2.0.3 on Windows. The TDE Wallet can be protected by the realm too so that the ‘oracle’ OS user, as well as ’secadmin’ and ‘root’, have neither read nor write privileges on the TDE wallet; only the Oracle Database can open and close the wallet, and re-key the TDE master encryption key.

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
0
 

Author Comment

by:mkhandba
ID: 40593836
thanks for this btan, but can you please share something on Exadata too, how to secure the same over there ... much appreciated.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40593846
it is as mentioned in the pdf - "Protecting the Oracle Wallet with ACFS access controls" (pg 21), do check it out
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40595068
another useful ACDF reference is the below in pg 6 for protecting TDE wallet on the ACFS file system. quick summary steps as below and you can test to access using just ls, or vi, as example on the TDE wallet as root or security administrator, and it should reject attempt with errors. This is due to rule set to only Oracle binary to access the wallet.
1. Create a realm to protect wallet
2. Create a rule for the various application access only
3. Create a ruleset for the protected ACDF mounted
4. Add the rule in the ruleset
5. Specify option ALL for the ruleset in the designated data wallet

http://www.oracle.com/technetwork/database/cloud-storage/acfs-security-encryption-514418.pdf
0
 

Author Comment

by:mkhandba
ID: 40596738
thanks btan for these doc links, they are very helpful.

Just one last confirmation because, for single instance and RAC all looks good, but the same question, for Exadata, still I'm confuse, because in this FAQ/article:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A15035

Under How is the TDE wallet protected?

It is clearly saying that: but not Exadata X2), please advise.

Also don't know how to know/check my Exadata version, can you please tell me how to check, what is my Exadata version X2 or ... ?

And thanks again for your help.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40596813
Thanks it does wonder why the FAQ states that, and my reading for that is ACFS is not supported in Exadata.
e.g. Exadata uses ASM, but it does not support ACFS, only DBFS. From forum (old though) it also stated ACFS requires that LUNs be presented to ASM but Exadata presents Grid Disks, not LUNs. https://community.oracle.com/thread/1093038

Since the FAQ make it stands as mentioned, I believe it may still be valid stand of not supported for ExaData though it stated ExaData X2. Regardless, that will best advised by Oracle support themselves to give assurances on any changes through the many years... I see and other blog stated it too
if the wallet is being created on a database server, it is recommended to store the Oracle Wallet in Oracle ACFS (i.e. /u02/app/oracle/wallet/) when ACFS is available. This applies to single instance, RAC one node, multi-node RAC, but not Exadata X2 configurations. Oracle ACFS is cluster file system on top of ASM and provides new Security features like excellent wallet protection and separation of duties.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml

Regardless, TDE wallet is still supported in Exadata. Hence in safeguarding wallet, I see the additional aspect for ExaData is really to leverage on the onboard AES-NI crypto card. It is not only benefiting the  hardware crypto acceleration but also a more tamper proof storage of the key compared to just a file in file storage.  Otherwise, there is no any differences from the wallet checks  and the TDE best practice guide (2012) still applicable, see the "TDE Wallet Management" section just not having to benefit from the ACFS additional access control. There is a "Exadata Database Machine" section in the guide too.
http://www.oracle.com/technetwork/database/focus-areas/security/twp-transparent-data-encryption-bes-130696.pdf&embedded=true

As for the version checking, I believe this will advise the command
to run "grep OneCommand /opt/oracle.SupportTools/onecommand/preconf.csv" from the first compute node
https://community.oracle.com/thread/2511512
0
 

Author Comment

by:mkhandba
ID: 40599995
thanks btan, this is really great, but need some time to look into it.

But need a favor btan, can you please look at my other question:
http://www.experts-exchange.com/Database/Oracle/Q_28612580.html

Need your input/thoughts over there, if possible.

thanks again, will get back soon.
0
 
LVL 63

Expert Comment

by:btan
ID: 40600765
hope it helps - likewise try my best in the other query you stated
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question