Recently, I was trying to setup TDE. Doing that I found out the Oracle provided documentation isn’t overly clear, and there is a way to do it in pre-Oracle 12, which is done using ‘alter system’ commands, and a new-ish way to do it in Oracle 12, using ‘administer key management’ commands. I am using version 220.127.116.11.170117, so decided to use the ‘administer key management’ commands. This blogpost is about an exception which I see is encountered in the Januari 2017 (170117) PSU of the Oracle database, which is NOT happening in Oracle 12.2 (no PSU’s for Oracle 12.2 at the time of writing) and Oracle 18.104.22.168 April 2016 and October 2016 PSU’s.
In order to test the wallet functionality for TDE, I used the following commands:
I’ve always been worried about taking a script that is fine to run in my non-production environments (in particular a DROP script) and accidentally running it in a Production environment, shortly followed by the typing up of a fresh resume to look for a new job once the mistake is discovered
In my previous post, I introduced you to the two concepts of Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). ABAC resolves a number of the limitations associated with RBAC, as I discussed in that post. In this post, I wanted to drill into the architecture underlying ABAC a little bit more.
In simple terms, there are four main parts of the ABAC architecture. These are:
In a recent post, I explained a little bit about what my new role at archTIS is. archTIS is a company that focuses on the area of Trusted Information Sharing. Trusted Information Sharing is a concept that not too many people would understand the complexities of. In fact, when I first started in my new role I wasn’t aware of just how complex it was myself! To explain all that complexity in a single post would make for an incredibly long post, so what I’m going to do is explain it in a series of blog posts. Doing so will help you (the reader) understand this more readily, and assist me in checking my level of understanding as well. So let’s start off at the very basic level of some of the underlying concepts of Trusted Information Sharing (hereafter referred to as TIS) and why we need to have it.
Recently I was asked to analyse the security impact of the snmp daemon on a recent Exadata. This system was running Exadata image version 22.214.171.124.3. This blog article gives you an overview of a lot of the things that surround snmp and security.
First of all what packages are installed doing something with snmp? A list can be obtained the following way:
# rpm -qa | grep snmp net-snmp-utils-5.5-54.0.1.el6_7.1.x86_64 net-snmp-libs-5.5-54.0.1.el6_7.1.x86_64 net-snmp-5.5-54.0.1.el6_7.1.x86_64 sas_snmp-14.02-0103.x86_64
Essentially the usual net-snmp packages and a package called ‘sas_snmp’.
A next important thing is how the firewall is configured. However, the default setting of the firewall on the compute nodes with exadata is the firewall turned off:
AUTHID_CURRENT_USER can be misused by developers. The new object privilege INHERIT PRIVILEGES ON
One of the questions we see being asked reasonably frequently is how to allow read only access to someone who wants to view database performance issues, using tools such as Real Time ADDM, ASH Analytics and so on. This is generally asked for someone like an application developer, who can use this information to identify performance issues in Production and then fix the root cause in their Development environments.
Well, that’s a reasonable question to ask, and indeed if you search the internet you can find different ways of doing something like this. For EM12c, one of the best write-ups I’ve seen done on this was of course by one of my colleagues, Courtney Llamas. That write-up is available here.
I’ll be at Collaborate 16 next month and looking forward to seeing lots of good friends, learning some new things, and sharing a little experience too. For the last of those, I’ll present 3 sessions, er, more like 2.2 sessions:
I don’t have an official OOW presentation in the conference this year. However, I am presenting a session at the Oak Table World 2015 event behind held concurrently with OOW 2015. My topic is “Exadata Database Machine Security” and I plan to review some of the newest updates to security for the Exadata Database Machine engineered system.
As the website indicates, the event is completely free and there is no pre-registration or enrollment required–just show up and come on in to hear some great speakers present on great topics. Hope to see you there on Monday, October 26, 2015!
There is a new auditing architecture in place with Oracle Database 12c, called Unified Auditing. Why would you want to use it? Because it has significantly less performance impact than the old approach. We buffer now audit records in the SGA and write them asynchronously to disk, that’s the trick.
Other benefits of the new approach are that we have now one centralized way (and one syntax also) to deal with all the various auditing features that have been introduced over time, like Fine Grained Auditing etc. But the key improvement in my opinion is the reduced performance impact, because that was often hurting customers in the past. Let’s see it in action! First, I will record a baseline without any auditing: