For Better, Faster, Smarter,
Oracle Solutions
Home Tutorials Case Studies Training Consulting Subscribe to ezine Contact Us About Us Legal Notices

Oracle 9i Database Security Enhancements

This article on changes made to enhance security. in Oracle 9i is one of a series of articles on the new features and their impact on business and technical issues Oracle is designed primarily to meet the needs of large enterprises and as the number and types of users increase and the geographical locations of those users become more diverse, so the more important security (and privacy) become. The security improvements for Oracle 9i comprise: enhanced 3-tier security (integration with LDAP) improved hosting security (through use of virtual private databases), fine-grained auditing and single sign-on improved user security (more password management features, etc.) the ability to encrypt stored data row-level access control (Oracle Label Security) This article won't explore these new features in great depth, but just enough to give you an idea of what's changed and what effect this might have on your role as an oracle dba. If you wish to dig deeper we can recommend "Oracle 9i New Features" by Robert Freeman which goes into a lot more detail. For more in-depth training, we offer high quality, instructor-led courses for developers and dbas. See our Oracle training page for more details. Oracle make a great play of the security capabilities of their database with their "Unbreakable - can't break it, can't break in" slogan and of the number of security certificates that the Oracle database has compared with DB2 and SQL Server, but for most of us what happens in the real world is more important than the number of certificates they have. Let's take a look, then and see what real-world improvements they have made.

Enhanced 3 Tier Security

3-tier security has been enhanced in Oracle 9i by proxy authentication, which includes the use of X.509 certificates or Distinguished Names for credential proxy, support for thick JDBC, connection pooling for users via thick and thin JDBC and OCI, and integration with LDAP. The aim of this is to provide the option to force users to connect to the database via a middle tier and to ensure that user identities are maintained across all tiers of the application. Other changes in this area include enhancements to the DBMS_LDAP package which is now supported in shared server mode and dedicated server mode. The following packages: UTL_INADDR, UTL_HTTP, UTL_TCP and UTL_SMTP have also been enhanced and new packages UTL_URL (for accessing URLs) and UTL_ENCODE (for encoding mail messages) have been created.

Improved Hosting Security

This area of database security is particularly important for application service providers which need to separate the data for each of their clients and ensure that each client can see only their own data and not everyone else's. The changes in this area for virtual private databases comprise partitioned fine-grained access control, global application contexts and the addition of the Oracle Policy Manager to OEM to improve the management of security policies. Partitioned fine-grained access control is an enhancement for Oracle 9i to improve support for multiple applications using the same database, by allowing each application to have its own security policy instead of the "one size fits all" security policies that were able to be created under Oracle 8i. For example you might have a reporting application and an oltp application using the same database but each with different security requirements. With Oracle 9i you can create a different security policy for each application. Global application contexts enable the use of connection pooling with virtual private databases and thus provides support for very high-usage (e.g. Web-based) applications. When GACs are used, they are created by the middle tier and stored in the SGA of the instance and then applied to each session as it connects rather than creating a specific application context for each session. Other changes include: fine-grained auditing - this allows the audit of select statements with bind variables, via the creation of audit policies and is a feature that could be extremely useful for tracking access to highly sensitive information. Web-based single sign on - this enables users to authenticate themselves once and then gain access to multiple web services without being required to re-authenticate themselves. Web-based single sign-on is provided with Logon Server which is part of Oracle Portal 3.0

Improved User Security

Enhancements have been made to Enterprise User Management to enable the management of password-based users in Oracle Internet Directory or other LDAP directories such as Novell Directory Services and Microsoft Active Directory. Oracle Names servers are deprecated, but they can be configured as proxies to LDAP directories to ease migration. A potentially more significant change, however, is the locking of the "extra" accounts used for demonstration/testing. With Oracle 9i all the default accounts except for SYS, SYSTEM and SCOTT are locked on creation and have to be manually unlocked (by use of the “alter user <user> account unlock" command before they can be used. The point of this is obviously to close any potential security loopholes that would be left if these accounts weren't dropped after installation and as there are quite a number of these accounts created by default, this is a sensible move by Oracle.

Data Encryption

To cater for situations when the information held in the database is especially sensitive and must be protected against access even by a dba, Oracle provide the dbms_obfuscation toolkit which can be used to encrypt data at the column level. In Oracle 9i this has been enhanced to provide a secure random number generator that is FIPS-140 certified. This enhances the security of the encrypted data by making the key stronger and therefore making it much harder to crack the key.

Oracle Label Security

This is an optional add-on to the Enterprise Edition of Oracle 9i that is built on top of the fine-grained access control mechanism. It works by adding a special label (ie. column) to each row of the data in the tables that need to be secured and therefore does not require the programming normally associated with the use of fine-grained access control. Access to the data is determined by comparing the user's security level with the label attached to the data. Just in case you were thinking that the administration of this would be a nightmare, Oracle have also introduced an extension to Oracle Enterprise Manager called the Oracle Policy Manager. This provides a graphical user interface to the tree-structured list of policies along with labels, authorizations and protected objects. See the Oracle9i Security Overview for more details on these features or see our overview of the new features. ----------------------------------------------------------- Looking to sky-rocket productivity, slash costs and accelerate innovation? Training is a highly cost-effective, proven method of boosting productivity leaving time, money and staff available for more innovation. Smartsoft offers instructor-led training in Oracle and related technologies on or off site in cities across the UK as well as self-study online training.  See our training course schedule, or let us know your requirements. Oracle tips and tricks Subscribe to our newsletter, jam-packed full of tips and tricks to help you slash costs, sky-rocket productivity and make your systems better, faster and smarter. Smartsoft Computing Ltd, Bristol, England Tel: 0845 003 1320 Contact Us View our privacy policy This site uses to gather statistical information about our visitors. This data is aggregated to show industry trends (such as browser share). However, this data shall be the average of many thousands of visits and is in no way linked to individuals. View woopra privacy policy.  Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Bookmark and Share