This article discusses Oracle 9i security enhancements - what's new and improved in Oracle 9i in the way of database security and what difference this makes to your role as a dba and to the business you support.
To subscribe to our ezine just go to
www.asktheoracle.net/oracle-tips-signup.html
Go here to contact us.
Introduction
Enhanced 3-tier Security
Improved Hosting Security
Improved User Security
Data Encryption Features
Oracle Label Security
Summary
Further Reading
Oracle is designed primarily to meet the needs of large enterprises and as the number and types of users increase and the geographical locations of those users become more diverse, so the more important security (and privacy) become. In essence, the security improvements for Oracle 9i are:
This article won't explore these new features in great depth, but just enough to give you an idea of what's changed and what effect this might have on your role as an oracle dba. If you wish to dig deeper we can recommend "Oracle 9i New Features" by Robert Freeman which goes into a lot more detail, (see resources section which also contains pointers to information on OTN).
Smartsoft also provide high quality, classroom-based and online Oracle courses and SQL courses for Oracle developers and dbas. See our Oracle courses section for more details.
New subscribers can read the previous Oracle 9i New Features articles here:
http://www.smart-soft.co.uk/Oracle/oracle9i.htm
http://www.smart-soft.co.uk/Oracle/oracle9i-new-features-part2.htm
http://www.smart-soft.co.uk/Oracle/oracle-9i-backup-and-recovery.htm
and articles on general performance tuning here:
http://www.smart-soft.co.uk/Oracle/oracle-tips-and-tricks.htm
Oracle make a great play of the security capabilities of their database with their "Unbreakable - can't break it, can't break in" slogan and of the number of security certificates that the Oracle database has compared with DB2 and SQL Server, but for most of us, I would think, what happens in the real world is more important than the number of certificates they have. Let's take a look, then and see what real-world improvements they have made.
3-tier security has been enhanced in Oracle 9i by proxy authentication, which includes the use of X.509 certificates or Distinguished Names for credential proxy, support for thick JDBC, connection pooling for users via thick and thin JDBC and OCI, and integration with LDAP. The aim of this is to provide the option to force users to connect to the database via a middle tier and to ensure that user identities are maintained across all tiers of the application.
Other changes in this area include enhancements to the DBMS_LDAP package which is now supported in shared server mode and dedicated server mode. The following packages: UTL_INADDR, UTL_HTTP, UTL_TCP and UTL_SMTP have also been enhanced and new packages UTL_URL (for accessing URLs) and UTL_ENCODE (for encoding mail messages) have been created.
This area is particularly important for application service providers which need to separate the data for each of their clients and ensure that each client can see only their own data and not everyone else's.
The changes in this area for virtual private databases comprise partitioned fine-grained access control, global application contexts and the addition of the Oracle Policy Manager to OEM to improve the management of security policies.
Partitioned fine-grained access control is an enhancement for 9i to improve support for multiple applications using the same database, by allowing each application to have its own security policy instead of the "one size fits all" security policies that were able to be created under Oracle 8i. For example you might have a reporting application and an oltp application using the same database but each with different security requirements. With Oracle 9i you can create a different security policy for each application.
Global application contexts enable the use of connection pooling with virtual private databases and thus provides support for very high-usage (e.g. Web-based) applications. When GACs are used, they are created by the middle tier and stored in the SGA of the instance and then applied to each session as it connects rather than creating a specific application context for each session.
Other changes include:
fine-grained auditing - this allows the audit of select statements with bind variables, via the creation of audit policies and is a feature that could be extremely useful for tracking access to highly sensitive information.
Web-based single sign on - this enables users to authenticate themselves once and then gain access to multiple web services without being required to re-authenticate themselves. Web-based single sign-on is provided with Logon Server which is part of Oracle Portal 3.0
Enhancements have been made to Enterprise User Management to enable the management of password-based users in Oracle Internet Directory or other LDAP directories such as Novell Directory Services and Microsoft Active Directory. Oracle Names servers are deprecated, but they can be configured as proxies to LDAP directories to ease migration.
A potentially more significant change, however, is the locking of the "extra" accounts used for demonstration/testing. With Oracle 9i all the default accounts except for SYS, SYSTEM and SCOTT are locked on creation and have to be manually unlocked (by use of the "alter user <user> account unlock" command before they can be used. The point of this is obviously to close any potential security loopholes that would be left if these accounts weren't dropped after installation and as there are quite a number of these accounts created by default, this is a welcome move from Oracle.
To cater for situations when the information held in the database is especially sensitive and must be protected against access even by a dba, Oracle provide the dbms_obfuscation toolkit which can be used to encrypt data at the column level. In Oracle 9i this has been enhanced to provide a secure random number generator that is FIPS-140 certified. This enhances the security of the encrypted data by making the key stronger and therefore making it much harder to crack the key.
Oracle Label Security is an optional add-on to the Enterprise Edition of Oracle 9i that is built on top of the fine-grained access control mechanism. It works by adding a special label (ie. column) to each row of the data in the tables that need to be secured and therefore does not require the programming normally associated with the use of fine-grained access control. Access to the data is determined by comparing the user's security level with the label attached to the data.
Just in case you were thinking that the administration of this would be a nightmare, Oracle have also introduced an extension to Oracle Enterprise Manager called the Oracle Policy Manager. This provides a graphical user interface to the tree-structured list of policies along with labels, authorizations and protected objects.
Oracle has worked hard to live up to its "Unbreakable" boast, and have added many new security features to provide what they claim is the most secure application development and deployment platform in the industry.
---------------------------------------
Looking for more Oracle tips and tricks ? Take a short cut now and subscribe to our monthly ezine jam-packed full of tips and tricks to help you make more of your Oracle systems. Subscribe today and your first issue will soon be winging its way to your mailbox.
Smartsoft Computing Ltd
Bristol, England
Tel: 0845 0031320
Contact Us
Click here to view our privacy policy .
This site uses hitslink.com to gather statistical information about our visitors. View hitslink privacy policy .
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
© Copyright Smartsoft Computing Ltd 2001-2008. All rights reserved.