Solved

Secure Oracle Wallet

Posted on 2015-02-05
8
507 Views
Last Modified: 2015-02-11
Looking for some best practice approach to secure oracle wallet, here is from Oracle:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13017

But need to secure at Exadata too, plus @ single instance db.

Would like to explore, what others are using/experiencing, because need to setup asap, and I think we  can not use ACFS, as recommended by Oracle, please share your thoughts, what are our best/possible options for Exadata & single instance too.

Thanks in advance.
0
Comment
Question by:mkhandba
  • 5
  • 3
8 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40593172
Likely you may consider looking at Oracle Key Vault for more collectively key protection and management since it can centrally manage both the Oracle Wallets and TDE/ACFS master keys on Exadata. Indeed, the TDE master key used for TDE typically can be stored in Oracle Wallet or even at Oracle Key Vault itself.

If via the wallet, there is a Oracle practice in "Protecting the Oracle Wallet with ACFS access controls" (pg 21) which you can catch if not done so. It is implemented using the ACFS Security feature starting with Oracle Database 11.2.0.2 on Linux and 11.2.0.3 on Windows. The TDE Wallet can be protected by the realm too so that the ‘oracle’ OS user, as well as ’secadmin’ and ‘root’, have neither read nor write privileges on the TDE wallet; only the Oracle Database can open and close the wallet, and re-key the TDE master encryption key.

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
0
 

Author Comment

by:mkhandba
ID: 40593836
thanks for this btan, but can you please share something on Exadata too, how to secure the same over there ... much appreciated.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40593846
it is as mentioned in the pdf - "Protecting the Oracle Wallet with ACFS access controls" (pg 21), do check it out
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40595068
another useful ACDF reference is the below in pg 6 for protecting TDE wallet on the ACFS file system. quick summary steps as below and you can test to access using just ls, or vi, as example on the TDE wallet as root or security administrator, and it should reject attempt with errors. This is due to rule set to only Oracle binary to access the wallet.
1. Create a realm to protect wallet
2. Create a rule for the various application access only
3. Create a ruleset for the protected ACDF mounted
4. Add the rule in the ruleset
5. Specify option ALL for the ruleset in the designated data wallet

http://www.oracle.com/technetwork/database/cloud-storage/acfs-security-encryption-514418.pdf
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mkhandba
ID: 40596738
thanks btan for these doc links, they are very helpful.

Just one last confirmation because, for single instance and RAC all looks good, but the same question, for Exadata, still I'm confuse, because in this FAQ/article:
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A15035

Under How is the TDE wallet protected?

It is clearly saying that: but not Exadata X2), please advise.

Also don't know how to know/check my Exadata version, can you please tell me how to check, what is my Exadata version X2 or ... ?

And thanks again for your help.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40596813
Thanks it does wonder why the FAQ states that, and my reading for that is ACFS is not supported in Exadata.
e.g. Exadata uses ASM, but it does not support ACFS, only DBFS. From forum (old though) it also stated ACFS requires that LUNs be presented to ASM but Exadata presents Grid Disks, not LUNs. https://community.oracle.com/thread/1093038

Since the FAQ make it stands as mentioned, I believe it may still be valid stand of not supported for ExaData though it stated ExaData X2. Regardless, that will best advised by Oracle support themselves to give assurances on any changes through the many years... I see and other blog stated it too
if the wallet is being created on a database server, it is recommended to store the Oracle Wallet in Oracle ACFS (i.e. /u02/app/oracle/wallet/) when ACFS is available. This applies to single instance, RAC one node, multi-node RAC, but not Exadata X2 configurations. Oracle ACFS is cluster file system on top of ASM and provides new Security features like excellent wallet protection and separation of duties.
http://www.idevelopment.info/data/Oracle/DBA_tips/Security/SEC_15.shtml

Regardless, TDE wallet is still supported in Exadata. Hence in safeguarding wallet, I see the additional aspect for ExaData is really to leverage on the onboard AES-NI crypto card. It is not only benefiting the  hardware crypto acceleration but also a more tamper proof storage of the key compared to just a file in file storage.  Otherwise, there is no any differences from the wallet checks  and the TDE best practice guide (2012) still applicable, see the "TDE Wallet Management" section just not having to benefit from the ACFS additional access control. There is a "Exadata Database Machine" section in the guide too.
http://www.oracle.com/technetwork/database/focus-areas/security/twp-transparent-data-encryption-bes-130696.pdf&embedded=true

As for the version checking, I believe this will advise the command
to run "grep OneCommand /opt/oracle.SupportTools/onecommand/preconf.csv" from the first compute node
https://community.oracle.com/thread/2511512
0
 

Author Comment

by:mkhandba
ID: 40599995
thanks btan, this is really great, but need some time to look into it.

But need a favor btan, can you please look at my other question:
http://www.experts-exchange.com/Database/Oracle/Q_28612580.html

Need your input/thoughts over there, if possible.

thanks again, will get back soon.
0
 
LVL 61

Expert Comment

by:btan
ID: 40600765
hope it helps - likewise try my best in the other query you stated
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now