<<Back to Oracle DB Security Main Page
Oracle Database Advanced Security New Features in 18c
Following are interesting new features added in oracle 18c to enhance the database security and while keeping the PDB's isolated- Ability to Create a Keystore for Each Pluggable Database
- Ability to Create a User-Defined Master Encryption Key
- Ability to Use Encrypted Passwords for Database Links with Oracle Data Pump
Ability to Create a Keystore for Each Pluggable Database
Until before 18c the keystore was configured at container database (CDB) level. Each PDB in this container then, was able to access this Keystore. This keystore stored the master encryption keys for the CDB as well as all the PDBs. Starting from 18c a PDB can either continue to share the same keystore with the entire CDB as before or have a separate (its own) keystore.
Having the Dedicated Keystore for each PDB offers following advantages
Having the Dedicated Keystore for each PDB offers following advantages
- It offers greater isolation between PDBs
- Each separate keystore can be administered independently
- Each keystore can be protected by a different password.
- Enables independent key management operations to be performed by each tenant (PDB) in a multitenant.
- It provides parameters to facilitate the configuration of the keystore location and the keystore type, eliminating the need for editing the sqlnet.ora file.
Starting from 18c you can configure the keystore in 2 modes
United mode=> In which the keystores and master encryption keys are primarily managed from the CDB root, and can be accessed from the united mode PDB. Within the PDB, the keystore can be opened and closed just for that PDB.
United mode=> In which the keystores and master encryption keys are primarily managed from the CDB root, and can be accessed from the united mode PDB. Within the PDB, the keystore can be opened and closed just for that PDB.
Isolated mode=> In which the keystore and encryption keys are managed in an individual PDB. This way, each PDB can configure its own keystore type independently, and create and manage this keystore after configuring it
NOTE1: You can mix these two modes.
For example, suppose you have 1 CDB and 10 PDBs. You can run 5 of these PDBs in united mode and the remaining 5 in isolated mode. To facilitate this feature oracle has introduced 2 new parameters
WALLET_ROOT & TDE_CONFIGURATION
WALLET_ROOT & TDE_CONFIGURATION
WALLET_ROOT=> Static initialization parameter, to specify the keystore path. You can set this parameter for TDE software keystores, hardware security module keystores (HSMs), and OracleKey Vault.
When the WALLET_ROOT parameter has been set, then WALLET_ROOT overrides SQLNET.ENCRYPTION_WALLET_LOCATION.
If WALLET_ROOT has not been set, then SQLNET.ENCRYPTION_WALLET_LOCATION is the default.
TDE_CONFIGURATION=> This is a dynamic parameter configured at PDB Level, determines the type of keystore to use.
Valid values or combination of values for this parameter is as follows
FILE |
OKV |
HSM |
FILE|OKV |
FILE|HSM |
OKV|FILE |
HSM|FILE
FILE |
OKV |
HSM |
FILE|OKV |
FILE|HSM |
OKV|FILE |
HSM|FILE
NOTE2: As of now Isolated mode is only available to Cloud environment. This is not available for On-Premise Database.
Ability to Create a User-Defined Master Encryption Key
Also known as “bring your own key.Oracle Database now supports the use of master encryption keys that have been generated outside the database
Ability to Use Encrypted Passwords for Database Links with Oracle Data Pump
Passwords in database links are now encrypted. Oracle Data Pump handles the export and import of these passwords.
Passwords in database links are now encrypted. Oracle Data Pump handles the export and import of these passwords.
Comments
Post a Comment