[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Secure Oracle Wallet

Posted on 2015-02-05
8
Medium Priority
?
570 Views
Last Modified: 2015-02-11
Looking for some best practice approach to secure oracle wallet, here is from Oracle:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13017

But need to secure at Exadata too, plus @ single instance db.

Would like to explore, what others are using/experiencing, because need to setup asap, and I think we  can not use ACFS, as recommended by Oracle, please share your thoughts, what are our best/possible options for Exadata & single instance too.

Thanks in advance.
0
Comment
Question by:Mushfique Khan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40593172
Likely you may consider looking at Oracle Key Vault for more collectively key protection and management since it can centrally manage both the Oracle Wallets and TDE/ACFS master keys on Exadata. Indeed, the TDE master key used for TDE typically can be stored in Oracle Wallet or even at Oracle Key Vault itself.

If via the wallet, there is a Oracle practice in "Protecting the Oracle Wallet with ACFS access controls" (pg 21) which you can catch if not done so. It is implemented using the ACFS Security feature starting with Oracle Database 11.2.0.2 on Linux and 11.2.0.3 on Windows. The TDE Wallet can be protected by the realm too so that the ‘oracle’ OS user, as well as ’secadmin’ and ‘root’, have neither read nor write privileges on the TDE wallet; only the Oracle Database can open and close the wallet, and re-key the TDE master encryption key.

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
0
 

Author Comment

by:Mushfique Khan
ID: 40593836
thanks for this btan, but can you please share something on Exadata too, how to secure the same over there ... much appreciated.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40593846
it is as mentioned in the pdf - "Protecting the Oracle Wallet with ACFS access controls" (pg 21), do check it out
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40595068
another useful ACDF reference is the below in pg 6 for protecting TDE wallet on the ACFS file system. quick summary steps as below and you can test to access using just ls, or vi, as example on the TDE wallet as root or security administrator, and it should reject attempt with errors. This is due to rule set to only Oracle binary to access the wallet.
1. Create a realm to protect wallet
2. Create a rule for the various application access only
3. Create a ruleset for the protected ACDF mounted
4. Add the rule in the ruleset
5. Specify option ALL for the ruleset in the designated data wallet

http://www.oracle.com/technetwork/database/cloud-storage/acfs-security-encryption-514418.pdf
0
 

Author Comment

by:Mushfique Khan
ID: 40596738
thanks btan for these doc links, they are very helpful.

Just one last confirmation because, for single instance and RAC all looks good, but the same question, for Exadata, still I'm confuse, because in this FAQ/article:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A15035

Under How is the TDE wallet protected?

It is clearly saying that: but not Exadata X2), please advise.

Also don't know how to know/check my Exadata version, can you please tell me how to check, what is my Exadata version X2 or ... ?

And thanks again for your help.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40596813
Thanks it does wonder why the FAQ states that, and my reading for that is ACFS is not supported in Exadata.
e.g. Exadata uses ASM, but it does not support ACFS, only DBFS. From forum (old though) it also stated ACFS requires that LUNs be presented to ASM but Exadata presents Grid Disks, not LUNs. https://community.oracle.com/thread/1093038

Since the FAQ make it stands as mentioned, I believe it may still be valid stand of not supported for ExaData though it stated ExaData X2. Regardless, that will best advised by Oracle support themselves to give assurances on any changes through the many years... I see and other blog stated it too
if the wallet is being created on a database server, it is recommended to store the Oracle Wallet in Oracle ACFS (i.e. /u02/app/oracle/wallet/) when ACFS is available. This applies to single instance, RAC one node, multi-node RAC, but not Exadata X2 configurations. Oracle ACFS is cluster file system on top of ASM and provides new Security features like excellent wallet protection and separation of duties.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml

Regardless, TDE wallet is still supported in Exadata. Hence in safeguarding wallet, I see the additional aspect for ExaData is really to leverage on the onboard AES-NI crypto card. It is not only benefiting the  hardware crypto acceleration but also a more tamper proof storage of the key compared to just a file in file storage.  Otherwise, there is no any differences from the wallet checks  and the TDE best practice guide (2012) still applicable, see the "TDE Wallet Management" section just not having to benefit from the ACFS additional access control. There is a "Exadata Database Machine" section in the guide too.
http://www.oracle.com/technetwork/database/focus-areas/security/twp-transparent-data-encryption-bes-130696.pdf&embedded=true

As for the version checking, I believe this will advise the command
to run "grep OneCommand /opt/oracle.SupportTools/onecommand/preconf.csv" from the first compute node
https://community.oracle.com/thread/2511512
0
 

Author Comment

by:Mushfique Khan
ID: 40599995
thanks btan, this is really great, but need some time to look into it.

But need a favor btan, can you please look at my other question:
http://www.experts-exchange.com/Database/Oracle/Q_28612580.html

Need your input/thoughts over there, if possible.

thanks again, will get back soon.
0
 
LVL 65

Expert Comment

by:btan
ID: 40600765
hope it helps - likewise try my best in the other query you stated
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question