For Better, Faster, Smarter,
Oracle 9i Database Security Enhancements
This article on changes made to enhance security. in Oracle 9i is one of a series of articles on the new features and
their impact on business and technical issues
Oracle is designed primarily to meet the needs of large enterprises and as the number and types of users increase and
the geographical locations of those users become more diverse, so the more important security (and privacy) become.
The security improvements for Oracle 9i comprise:
enhanced 3-tier security (integration with LDAP)
improved hosting security (through use of virtual private databases), fine-grained auditing and single sign-on
improved user security (more password management features, etc.)
the ability to encrypt stored data
row-level access control (Oracle Label Security)
This article won't explore these new features in great depth, but just
enough to give you an idea of what's changed and what effect this
might have on your role as an oracle dba. If you wish to dig deeper we
can recommend "Oracle 9i New Features" by Robert Freeman which
goes into a lot more detail. For more in-depth training, we offer high
quality, instructor-led courses for developers and dbas. See our Oracle
training page for more details.
Oracle make a great play of the security capabilities of their database
with their "Unbreakable - can't break it, can't break in" slogan and of
the number of security certificates that the Oracle database has
compared with DB2 and SQL Server, but for most of us what happens
in the real world is more important than the number of certificates they
have. Let's take a look, then and see what real-world improvements they have made.
Enhanced 3 Tier Security
3-tier security has been enhanced in Oracle 9i by proxy authentication, which includes the use of X.509 certificates or
Distinguished Names for credential proxy, support for thick JDBC, connection pooling for users via thick and thin
JDBC and OCI, and integration with LDAP. The aim of this is to provide the option to force users to connect to the
database via a middle tier and to ensure that user identities are maintained across all tiers of the application.
Other changes in this area include enhancements to the DBMS_LDAP package which is now supported in shared
server mode and dedicated server mode. The following packages: UTL_INADDR, UTL_HTTP, UTL_TCP and
UTL_SMTP have also been enhanced and new packages UTL_URL (for accessing URLs) and UTL_ENCODE (for
encoding mail messages) have been created.
Improved Hosting Security
This area of database security is particularly important for application service providers which need to separate the
data for each of their clients and ensure that each client can see only their own data and not everyone else's.
The changes in this area for virtual private databases comprise partitioned fine-grained access control, global
application contexts and the addition of the Oracle Policy Manager to OEM to improve the management of security
Partitioned fine-grained access control is an enhancement for Oracle 9i to improve support for multiple applications
using the same database, by allowing each application to have its own security policy instead of the "one size fits all"
security policies that were able to be created under Oracle 8i. For example you might have a reporting application and
an oltp application using the same database but each with different security requirements. With Oracle 9i you can
create a different security policy for each application.
Global application contexts enable the use of connection pooling with virtual private databases and thus provides
support for very high-usage (e.g. Web-based) applications. When GACs are used, they are created by the middle tier
and stored in the SGA of the instance and then applied to each session as it connects rather than creating a specific
application context for each session.
Other changes include:
fine-grained auditing - this allows the audit of select statements with bind variables, via the creation of audit
policies and is a feature that could be extremely useful for tracking access to highly sensitive information.
Web-based single sign on - this enables users to authenticate themselves once and then gain access to multiple
web services without being required to re-authenticate themselves. Web-based single sign-on is provided with
Logon Server which is part of Oracle Portal 3.0
Improved User Security
Enhancements have been made to Enterprise User Management to enable the management of password-based users in
Oracle Internet Directory or other LDAP directories such as Novell Directory Services and Microsoft Active
Directory. Oracle Names servers are deprecated, but they can be configured as proxies to LDAP directories to ease
A potentially more significant change, however, is the locking of the "extra" accounts used for demonstration/testing.
With Oracle 9i all the default accounts except for SYS, SYSTEM and SCOTT are locked on creation and have to
be manually unlocked (by use of the “alter user <user> account unlock" command before they can
be used. The point of this is obviously to close any potential security loopholes that would be left if these accounts
weren't dropped after installation and as there are quite a number of these accounts created by default, this is a
sensible move by Oracle.
To cater for situations when the information held in the database is especially sensitive and must be protected against
access even by a dba, Oracle provide the dbms_obfuscation toolkit which can be used to encrypt data at the column
level. In Oracle 9i this has been enhanced to provide a secure random number generator that is FIPS-140 certified.
This enhances the security of the encrypted data by making the key stronger and therefore making it much harder to
crack the key.
Oracle Label Security
This is an optional add-on to the Enterprise Edition of Oracle 9i that is built on top of the fine-grained access control
mechanism. It works by adding a special label (ie. column) to each row of the data in the tables that need to be
secured and therefore does not require the programming normally associated with the use of fine-grained access
control. Access to the data is determined by comparing the user's security level with the label attached to the data.
Just in case you were thinking that the administration of this would be a nightmare, Oracle have also introduced an
extension to Oracle Enterprise Manager called the Oracle Policy Manager. This provides a graphical user interface to
the tree-structured list of policies along with labels, authorizations and protected objects.
See the Oracle9i Security Overview for more details on these features or see our overview of the new features.
Looking to sky-rocket productivity, slash costs and accelerate innovation?
Training is a highly cost-effective, proven method of boosting productivity leaving time, money and staff available for
more innovation. Smartsoft offers instructor-led training in Oracle and related technologies on or off site in cities
across the UK as well as self-study online training. See our training course schedule, or let us know your
Oracle tips and tricks
Subscribe to our newsletter, jam-packed full of tips and tricks to help you slash costs, sky-rocket productivity and
make your systems better, faster and smarter.
Smartsoft Computing Ltd, Bristol, England
Tel: 0845 003 1320
This site uses woopra.com to gather statistical information about our visitors. This data is aggregated to show industry trends (such
as browser share). However, this data shall be the average of many thousands of visits and is in no way linked to individuals. View
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.