1. Oracle DatabaseSecurity Guide12c Release 1 (12.1)E17607-24February 2014

2. Oracle Database Security Guide 12c Release 1 (12.1)E17607-24Copyright 2006, 2014, Oracle and/or its affiliates. All rights reserved.Primary Author: Patricia HueyContributing Author: Sumit JelokaContributor: The Oracle Database 12c documentation is dedicated to Mark Townsend, who was an inspiration to all who worked on this release.Contributors: Suraj Adhikari, Tammy Bednar, Todd Bottger, Leo Cloutier, Naveen Gopal, Peter Knaggs, Andre Kruklikov, Bryn Llewellyn, Rahil Mir, Gopal Mulagund, Paul Needham, Robert Pang, Dilip Raj, Kathy Rich, Vipin Samar, Sachin Sonawane, James Spiller, Srividya Tata, Kamal TbeilehThis software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. 3. iiiContentsPreface .......................................................................................................................................................... xxxviiAudience................................................................................................................................................ xxxviiDocumentation Accessibility.............................................................................................................. xxxviiRelated Documents............................................................................................................................. xxxviiiConventions......................................................................................................................................... xxxviiiChanges in This Release for Oracle Database Security Guide.................................. xxxixChanges in Oracle Database Security 12c Release 1 (12.1).............................................................. xxxix1 Introduction Oracle Database SecurityAbout Oracle Database Security ........................................................................................................... 1-1Additional Oracle Database Security Resources ............................................................................... 1-3Part I Managing User Authentication and Authorization2 Managing Security for Oracle Database UsersAbout User Security................................................................................................................................. 2-1Creating User Accounts........................................................................................................................... 2-1About Common Users and Local Users.......................................................................................... 2-2About Common Users................................................................................................................ 2-2How Plugging in PDBs Affects Common Users.................................................................... 2-3About Local Users....................................................................................................................... 2-3Who Can Create User Accounts?..................................................................................................... 2-4Creating a New User Account.......................................................................................................... 2-4Specifying a User Name.................................................................................................................... 2-5Assigning the User a Password........................................................................................................ 2-6Assigning a Default Tablespace for the User................................................................................. 2-6Assigning a Tablespace Quota for the User................................................................................... 2-7Restricting the Quota Limits for User Objects in a Tablespace............................................ 2-8Granting Users the UNLIMITED TABLESPACE System Privilege.................................... 2-8Assigning a Temporary Tablespace for the User.......................................................................... 2-8Specifying a Profile for the User...................................................................................................... 2-9Creating a Common User or a Local User................................................................................... 2-10Creating Common User Accounts......................................................................................... 2-10 4. ivCreating Local User Accounts................................................................................................ 2-11Setting a Default Role for the User............................................................................................... 2-11Altering User Accounts ........................................................................................................................ 2-12About Altering User Accounts...................................................................................................... 2-12Using the ALTER USER Statement to Alter Common or Local User Accounts.................... 2-12Changing Non-SYS User Passwords............................................................................................ 2-13Changing the SYS User Password................................................................................................ 2-14Configuring User Resource Limits .................................................................................................... 2-14About User Resource Limits.......................................................................................................... 2-14Types of System Resources and Limits........................................................................................ 2-15Limiting the User Session Level............................................................................................. 2-15Limiting Database Call Levels............................................................................................... 2-15Limiting CPU Time.................................................................................................................. 2-16Limiting Logical Reads........................................................................................................... 2-16Limiting Other Resources....................................................................................................... 2-16Determining Values for Resource Limits of Profiles.................................................................. 2-17Managing Resources with Profiles............................................................................................... 2-17About Profiles........................................................................................................................... 2-18Creating a Profile..................................................................................................................... 2-18Dropping Profiles..................................................................................................................... 2-19Deleting User Accounts........................................................................................................................ 2-19Database User and Profile Data Dictionary Views ........................................................................ 2-21Data Dictionary Views That List Information About Users and Profiles............................... 2-21Listing All Users and Associated Information............................................................................ 2-22Listing All Tablespace Quotas....................................................................................................... 2-22Listing All Profiles and Assigned Limits..................................................................................... 2-23Viewing Memory Use for Each User Session.............................................................................. 2-243 Configuring AuthenticationAbout Authentication.............................................................................................................................. 3-1Configuring Password Protection......................................................................................................... 3-1What Are the Oracle Database Built-in Password Protections?.................................................. 3-2Minimum Requirements for Passwords......................................................................................... 3-3Creating a Password.......................................................................................................................... 3-3Using a Password Management Policy........................................................................................... 3-3About Managing Passwords..................................................................................................... 3-4Finding User Accounts That Have Default Passwords......................................................... 3-4Configuring Password Settings in the Default Profile.......................................................... 3-4Disabling and Enabling the Default Password Security Settings........................................ 3-6Automatically Locking a User Account After a Failed Login.............................................. 3-6Controlling User Ability to Reuse Previous Passwords........................................................ 3-7Controlling Password Aging and Expiration......................................................................... 3-8Password Change Life Cycle..................................................................................................... 3-9Setting the PASSWORD_LIFE_TIME Profile Parameter to a Low Value........................ 3-10Managing the Complexity of Passwords..................................................................................... 3-11About Password Complexity Verification........................................................................... 3-11How Oracle Database Checks the Complexity of Passwords........................................... 3-12 5. vCustomizing Password Complexity Verification................................................................ 3-13Enabling Password Case Sensitivity............................................................................................ 3-14About Enabling Password Case Sensitivity......................................................................... 3-14Procedure for Enabling Password Case Sensitivity............................................................ 3-15Managing Case Sensitivity for Secure Role Passwords...................................................... 3-15Finding and Managing Password Versions of Users......................................................... 3-15How Case Sensitivity Affects Password Files...................................................................... 3-16How Case Sensitivity Affects Passwords Used in Database Link Connections............. 3-17Ensuring Against Password Security Threats by Using the SHA-1 Hashing Algorithm..... 3-17Managing the Secure External Password Store for Password Credentials............................ 3-18About the Secure External Password Store.......................................................................... 3-18How Does the External Password Store Work?.................................................................. 3-19Configuring Clients to Use the External Password Store.................................................. 3-20Managing External Password Store Credentials................................................................. 3-22Authenticating Database Administrators......................................................................................... 3-23About Authenticating Database Administrators....................................................................... 3-24Strong Authentication and Centralized Management for Database Administrators........... 3-24About Strong Authentication for Database Administrators............................................. 3-24Configuring Directory Authentication for Administrative Users.................................... 3-24Configuring Kerberos Authentication for Administrative Users..................................... 3-25Configuring Secure Sockets Layer Authentication for Administrative Users................ 3-26Authenticating Database Administrators by Using the Operating System........................... 3-26Authenticating Database Administrators by Using Their Passwords.................................... 3-27Risks of Using Password Files for Database Administrator Authentication......................... 3-28Using the Database to Authenticate Users ....................................................................................... 3-28About Database Authentication.................................................................................................... 3-28Advantages of Database Authentication..................................................................................... 3-29Creating a User Who Is Authenticated by the Database........................................................... 3-29Using the Operating System to Authenticate Users....................................................................... 3-29Using the Network to Authenticate Users........................................................................................ 3-30Authentication Using Secure Sockets Layer............................................................................... 3-30Authentication Using Third-Party Services................................................................................ 3-31Configuring Global User Authentication and Authorization...................................................... 3-32About Configuring Global User Authentication and Authorization...................................... 3-33Creating a User Who Is Authorized by a Directory Service..................................................... 3-33Creating a Global User Who Has a Private Schema........................................................... 3-33Creating Multiple Enterprise Users Who Share Schemas.................................................. 3-33Advantages of Global Authentication and Global Authorization........................................... 3-34Configuring an External Service to Authenticate Users and Passwords.................................... 3-34About External Authentication..................................................................................................... 3-35Advantages of External Authentication...................................................................................... 3-35Creating a User Who Is Authenticated Externally..................................................................... 3-36Authenticating User Logins Using the Operating System........................................................ 3-36Authentication User Logins Using Network Authentication................................................... 3-36Using Multitier Authentication and Authorization ....................................................................... 3-36Administration and Security in Clients, Application Servers, and Database Servers.......... 3-37Preserving User Identity in Multitiered Environments................................................................. 3-38 6. viUsing a Middle Tier Server for Proxy Authentication............................................................... 3-39About Proxy Authentication.................................................................................................. 3-39Advantages of Proxy Authentication.................................................................................... 3-39Who Can Create Proxy User Accounts?............................................................................... 3-40Creating Proxy User Accounts and Authorizing Users to Connect Through Them..... 3-41Using Proxy Authentication with the Secure External Password Store.......................... 3-42Passing Through the Identity of the Real User by Using Proxy Authentication............ 3-43Limiting the Privilege of the Middle Tier............................................................................. 3-43Authorizing a Middle Tier to Proxy and Authenticate a User.......................................... 3-44Authorizing a Middle Tier to Proxy a User Authenticated by Other Means ................. 3-45Reauthenticating the User Through the Middle Tier to the Database............................. 3-45Using Client Identifiers to Identify Application Users Not Known to the Database............ 3-46About Client Identifiers.......................................................................................................... 3-46How Client Identifiers Work in Middle Tier Systems........................................................ 3-47Using the CLIENT_IDENTIFIER Attribute to Preserve User Identity............................ 3-47Using CLIENT_IDENTIFIER Independent of Global Application Context................... 3-47Using the DBMS_SESSION PL/SQL Package to Set and Clear the Client Identifier.... 3-48User Authentication Data Dictionary Views ................................................................................... 3-504 Configuring Privilege and Role AuthorizationAbout Privileges and Roles .................................................................................................................... 4-2Who Should Be Granted Privileges? .................................................................................................... 4-2How the Oracle Multitenant Option Affects Privileges................................................................... 4-3Managing Administrative Privileges ................................................................................................... 4-4About Administrative Privileges..................................................................................................... 4-4Granting Administrative Privileges to Users................................................................................. 4-4SYSDBA and SYSOPER Administrative Privileges for Standard Database Operations......... 4-4SYSBACKUP Administrative Privilege for Backup and Recovery Operations........................ 4-4SYSDG Administrative Privilege for Oracle Data Guard Operations........................................ 4-6SYSKM Administrative Privilege for Transparent Data Encryption.......................................... 4-7Managing System Privileges.................................................................................................................. 4-7About System Privileges................................................................................................................... 4-7Why Is It Important to Restrict System Privileges?...................................................................... 4-8About the Importance of Restricting System Privileges....................................................... 4-8Restricting System Privileges by Securing the Data Dictionary.......................................... 4-8Allowing Access to Objects in the SYS Schema...................................................................... 4-9Granting and Revoking a System Privilege................................................................................... 4-9Who Can Grant or Revoke System Privileges?........................................................................... 4-10About ANY Privileges and the PUBLIC Role............................................................................. 4-10Managing Commonly and Locally Granted Privileges ................................................................. 4-11About Commonly and Locally Granted Privileges.................................................................... 4-11How Commonly Granted System Privileges Work................................................................... 4-12How Commonly Granted Object Privileges Work.................................................................... 4-12Granting or Revoking Privileges to Access a PDB..................................................................... 4-13Enabling Common Users to View Information About Container Objects............................. 4-13Viewing Data Pertaining to Root, CDB, and PDBs While Connected to Root................ 4-13Enabling Common Users to Access Data in Specific PDBs............................................... 4-14 7. viiManaging Common Roles and Local Roles ..................................................................................... 4-15About Common Roles and Local Roles....................................................................................... 4-15How Common Roles Work............................................................................................................ 4-16How the PUBLIC Role Works in a Multitenant Environment................................................. 4-16Privileges Required to Create, Modify, or Drop a Common Role........................................... 4-16Creating a Common Role............................................................................................................... 4-16Creating a Local Role...................................................................................................................... 4-17Granting or Revoking Common Roles and Local Roles............................................................ 4-17Managing User Roles............................................................................................................................ 4-18About User Roles............................................................................................................................. 4-18What Are User Roles?.............................................................................................................. 4-19The Functionality of Roles...................................................................................................... 4-19Properties of Roles and Why They Are Advantageous..................................................... 4-19Typical Uses of Roles .............................................................................................................. 4-20How Roles Affect the Scope of a Users Privileges ............................................................ 4-21How Roles Work in PL/SQL Blocks .................................................................................... 4-21How Roles Aid or Restrict DDL Usage ................................................................................ 4-22How Operating Systems Can Aid Roles............................................................................... 4-23How Roles Work in a Distributed Environment................................................................. 4-23Predefined Roles in an Oracle Database Installation................................................................. 4-23Creating a Role................................................................................................................................ 4-30About the Creation of Roles................................................................................................... 4-31Creating a Role That Is Authorized With or Without a Password................................... 4-31Creating a Role That Is External or Global........................................................................... 4-32Altering a Role.......................................................................................................................... 4-32Specifying the Type of Role Authorization................................................................................. 4-32Authorizing a Role by Using the Database.......................................................................... 4-32Authorizing a Role by Using an Application...................................................................... 4-33Authorizing a Role by Using an External Source................................................................ 4-33Authorizing a Role by Using the Operating System.......................................................... 4-34Authorizing a Role by Using a Network Client.................................................................. 4-34Global Role Authorization by an Enterprise Directory Service........................................ 4-34Granting and Revoking Roles....................................................................................................... 4-35About Granting and Revoking Roles.................................................................................... 4-35Who Can Grant or Revoke Roles? ........................................................................................ 4-35Granting and Revoking Roles to Program Units................................................................. 4-36Dropping Roles................................................................................................................................ 4-36Restricting SQL*Plus Users from Using Database Roles........................................................... 4-36Potential Security Problems of Using Ad Hoc Tools.......................................................... 4-36How the PRODUCT_USER_PROFILE System Table Can Limit Roles........................... 4-37How Stored Procedures Can Encapsulate Business Logic................................................ 4-37Securing Role Privileges by Using Secure Application Roles.................................................. 4-38Managing Object Privileges................................................................................................................ 4-38About Object Privileges.................................................................................................................. 4-39Who Can Grant Object Privileges?............................................................................................... 4-39Granting and Revoking Object Privileges................................................................................... 4-39About Granting and Revoking Object Privileges................................................................ 4-39 8. viiiHow the ALL Clause Grants or Revokes All Available Object Privileges...................... 4-40Using Object Privileges with Synonyms...................................................................................... 4-40Managing Table Privileges.................................................................................................................. 4-41About Managing Table Privileges................................................................................................ 4-41How Table Privileges Affect Data Manipulation Language Operations................................ 4-41How Table Privileges Affect Data Definition Language Operations...................................... 4-42Managing View Privileges .................................................................................................................. 4-42About View Privileges.................................................................................................................... 4-42Privileges Required to Create Views............................................................................................ 4-42Increasing Table Security with Views.......................................................................................... 4-43Managing Procedure Privileges.......................................................................................................... 4-44Using the EXECUTE Privilege for Procedure Privileges........................................................... 4-44Procedure Execution and Security Domains............................................................................... 4-44System Privileges Required to Create or Replace a Procedure................................................ 4-44System Privileges Required to Compile a Procedure................................................................ 4-45How Procedure Privileges Affect Packages and Package Objects........................................... 4-45About the Effect of Procedure Privileges on Packages and Package Objects................. 4-45Procedure Privileges and Packages and Package Objects: Example 1............................. 4-45Procedure Privileges and Packages and Package Objects: Example 2............................. 4-46Managing Type Privileges................................................................................................................... 4-47System Privileges for Named Types............................................................................................ 4-47Object Privileges for Named Types.............................................................................................. 4-47Method Execution Model for Named Types............................................................................... 4-47Privileges Required to Create Types and Tables Using Types................................................. 4-48Example of Privileges for Creating Types and Tables Using Types........................................ 4-48Privileges on Type Access and Object Access ............................................................................ 4-49Type Dependencies......................................................................................................................... 4-50Granting User Privileges and Roles ................................................................................................. 4-51Granting System Privileges and Roles to Users and Roles....................................................... 4-51Granting the ADMIN Option................................................................................................. 4-51Creating a New User with the GRANT Statement............................................................. 4-52Granting Object Privileges to Users and Roles........................................................................... 4-52About Granting Object Privileges to Users and Roles........................................................ 4-52How the WITH GRANT OPTION Clause Works............................................................... 4-53Granting Object Privileges on Behalf of the Object Owner............................................... 4-53Granting Privileges on Columns........................................................................................... 4-54Row-Level Access Control...................................................................................................... 4-55Revoking Privileges and Roles from a User .................................................................................... 4-55Revoking System Privileges and Roles........................................................................................ 4-55Revoking Object Privileges............................................................................................................ 4-55Revoking Object Privileges on Behalf of the Object Owner.............................................. 4-56Revoking Column-Selective Object Privileges.................................................................... 4-57Revoking the REFERENCES Object Privilege..................................................................... 4-57Cascading Effects of Revoking Privileges................................................................................... 4-57Cascading Effects When Revoking System Privileges....................................................... 4-57Cascading Effects When Revoking Object Privileges......................................................... 4-58Granting Privileges to and Revoking Privileges from the PUBLIC Role .................................. 4-58 9. ixGranting Roles Using the Operating System or Network ............................................................ 4-59About Granting Roles Using the Operating System or Network............................................ 4-59Operating System Role Identification.......................................................................................... 4-60Operating System Role Management........................................................................................... 4-60Role Grants and Revokes When OS_ROLES Is Set to TRUE.................................................... 4-61Role Enablements and Disablements When OS_ROLES Is Set to TRUE................................ 4-61Network Connections with Operating System Role Management.......................................... 4-61When Do Grants and Revokes Take Effect? .................................................................................... 4-61How the SET ROLE Statement Affects Grants and Revokes.................................................... 4-62Specifying Default Roles................................................................................................................ 4-62The Maximum Number of Roles That a User Can Enable........................................................ 4-63User Privilege and Role Data Dictionary Views............................................................................. 4-63Listing All System Privilege Grants............................................................................................. 4-65Listing All Role Grants................................................................................................................... 4-65Listing Object Privileges Granted to a User................................................................................ 4-65Listing the Current Privilege Domain of Your Session............................................................. 4-66Listing Roles of the Database........................................................................................................ 4-67Listing Information About the Privilege Domains of Roles..................................................... 4-675 Managing Security for Definers Rights and Invokers RightsAbout Definers Rights and Invokers Rights .................................................................................... 5-1How Procedure Privileges Affect Definers Rights........................................................................... 5-1How Procedure Privileges Affect Invokers Rights........................................................................... 5-3When You Should Create Invokers Rights Procedures................................................................... 5-3Controlling Invokers Rights Privileges for Procedure Calls and View Access .......................... 5-4How the Privileges of a Schema Affect the Use of Invokers Rights Procedures..................... 5-4How the INHERIT [ANY] PRIVILEGES Privileges Control Privilege Access.......................... 5-5Granting the INHERIT PRIVILEGES Privilege to Other Users................................................... 5-5Granting the INHERIT ANY PRIVILEGES Privilege to Other Users ....................................... 5-6Managing the INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES Privileges.............. 5-6Controlling Definers Rights and Invokers Rights in Views......................................................... 5-7About Controlling Definers Rights and Invokers Rights in Views.......................................... 5-7Using the BEQUEATH Clause in the CREATE VIEW Statement............................................... 5-7Finding the User Name or User ID of the Invoking User............................................................ 5-8Finding BEQUEATH DEFINER and BEQUEATH_CURRENT_USER Views.......................... 5-8Using Code Based Access Control for Definers Rights and Invokers Rights............................ 5-9About Using Code Based Access Control for Applications......................................................... 5-9Who Can Grant Code Based Access Control Roles to a Program Unit?.................................... 5-9How Control Based Access Works with Invokers Rights Program Units............................. 5-10How Control Based Access Control Works with Definers Rights Program Units............... 5-11Granting and Revoking Database Roles to a Program Unit..................................................... 5-12Tutorial: Controlling Access to Sensitive Data Using Code Based Access Control.............. 5-13About This Tutorial................................................................................................................. 5-13Step 1: Create the User and Grant HR the CREATE ROLE Privilege.............................. 5-13Step 2: Create the print_employees Invokers Rights Procedure...................................... 5-14Step 3: Create the hr_clerk Role and Grant Privileges for It.............................................. 5-14Step 4: Test the Code Based Access Control HR.print_employees Procedure............... 5-15 10. xStep 5: Create the view_emp_role Role and Grant Privileges for It................................. 5-15Step 6: Test the HR.print_employees Procedure Again..................................................... 5-15Step 7: Remove the Components for This Tutorial............................................................. 5-166 Managing Fine-Grained Access in PL/SQL Packages and TypesAbout Managing Fine-Grained Access in PL/SQL Packages and Types ...................................... 6-1About Fine-Grained Access Control to External Network Services............................................... 6-2About Access Control to Oracle Wallets.............................................................................................. 6-2Upgraded Applications That Depend on Packages That Use External Network Services ....... 6-2Configuring Access Control for External Network Services ........................................................... 6-3Syntax for Configuring Access Control for External Network Services.................................... 6-3Example: Configuring Access Control for External Network Services...................................... 6-5Revoking Access Control Privileges for External Network Services......................................... 6-5Configuring Access Control to an Oracle Wallet ............................................................................... 6-6About Configuring Access Control to an Oracle Wallet.............................................................. 6-6Step 1: Create an Oracle Wallet........................................................................................................ 6-6Step 2: Configure Access Control Privileges for the Oracle Wallet............................................ 6-6Step 3: Make the HTTP Request with the Passwords and Client Certificates.......................... 6-7Revoking Access Control Privileges for Oracle Wallets............................................................ 6-10Examples of Configuring Access Control for External Network Services................................. 6-10Example: Access Control Configuration for a Single Role and Network Connection.......... 6-10Example: Access Control Using a Deny and a Grant for a User and a Role.......................... 6-11Example: Access Control Configuring for Passwords in a Non-Shared Wallet.................... 6-11Example: Access Control Configuration for Wallets in a Shared Database Session............. 6-12Specifying a Group of Network Host Computers .......................................................................... 6-13Precedence Order for a Host Computer in Multiple Access Control List Assignments ......... 6-13Precedence Order for a Host in Access Control List Assignments with Port Ranges.............. 6-14Checking Privilege Assignments That Affect User Access to Network Hosts ......................... 6-15About Checking Privilege Assignments that Affect User Access to Network Hosts........... 6-15How Administrators Can Check User Network Connection and Domain Privileges......... 6-15How Users Can Check Their Network Connection and Domain Privileges......................... 6-16Configuring Network Access for Java Debug Wire Protocol Operations.................................. 6-17Data Dictionary Views for Access Control Lists Configured for User Access.......................... 6-177 Managing Security for a Multitenant Environment in Enterprise ManagerAbout Managing Security for a Multitenant Environment in Enterprise Manager ................... 7-1Logging into a Multitenant Environment in Enterprise Manager.................................................. 7-1Logging into a CDB or a PDB........................................................................................................... 7-1Switching to a Different PDB or to Root......................................................................................... 7-2Managing Common and Local Users in Enterprise Manager.......................................................... 7-3Creating a Common User Account in Enterprise Manager......................................................... 7-3Editing a Common User Account in Enterprise Manager........................................................... 7-4Dropping a Common User Account in Enterprise Manager....................................................... 7-4Creating a Local User Account in Enterprise Manager................................................................ 7-5Editing a Local User Account in Enterprise Manager.................................................................. 7-5Dropping a Local User Account in Enterprise Manager.............................................................. 7-6Managing Common and Local Roles and Privileges in Enterprise Manager .............................. 7-6 11. xiCreating a Common Role in Enterprise Manager......................................................................... 7-6Editing a Common Role in Enterprise Manager........................................................................... 7-7Dropping a Common Role in Enterprise Manager....................................................................... 7-8Revoking Common Privilege Grants in Enterprise Manager...................................................... 7-8Creating a Local Role in Enterprise Manager................................................................................ 7-8Editing a Local Role in Enterprise Manager.................................................................................. 7-9Dropping a Local Role in Enterprise Manager.............................................................................. 7-9Revoking Local Privilege Grants in Enterprise Manager............................................................. 7-9Part II Application Development Security8 Managing Security for Application DevelopersAbout Application Security Policies .................................................................................................... 8-1Considerations for Using Application-Based Security..................................................................... 8-1Are Application Users Also Database Users?................................................................................ 8-2Is Security Better Enforced in the Application or in the Database?............................................ 8-2Securing Passwords in Application Design........................................................................................ 8-3General Guidelines for Securing Passwords in Applications...................................................... 8-3Platform-Specific Security Threats........................................................................................... 8-3Guidelines for Designing Applications to Handle Password Input................................... 8-4Guidelines for Configuring Password Formats and Behavior............................................. 8-5Guidelines for Handling Passwords in SQL*Plus and SQL Scripts.................................... 8-5Securing Passwords Using an External Password Store.............................................................. 8-7Securing Passwords Using the orapwd Utility.............................................................................. 8-7Example of Reading Passwords in Java.......................................................................................... 8-7Securing External Procedures ............................................................................................................. 8-11About Securing External Procedures........................................................................................... 8-11Configuring Authentication for External Procedures............................................................... 8-13Managing External Procedures for Legacy Applications.......................................................... 8-14Managing Application Privileges ...................................................................................................... 8-15Creating Secure Application Roles to Control Access to Applications ...................................... 8-16Step 1: Create the Secure Application Role................................................................................. 8-16Step 2: Create a PL/SQL Package to Define the Access Policy for the Application.............. 8-17Associating Privileges with User Database Roles .......................................................................... 8-18Why Users Should Only Have the Privileges of the Current Database Role......................... 8-19Using the SET ROLE Statement to Automatically Enable or Disable Roles........................... 8-19Protecting Database Objects by Using Schemas............................................................................. 8-19Protecting Database Objects in a Unique Schema...................................................................... 8-19Protecting Database Objects in a Shared Schema....................................................................... 8-20Managing Object Privileges in an Application............................................................................... 8-20What Application Developers Must Know About Object Privileges...................................... 8-20SQL Statements Permitted by Object Privileges......................................................................... 8-21Parameters for Enhanced Security of Database Communication................................................ 8-21Reporting Bad Packets Received on the Database from Protocol Errors................................ 8-22Terminating or Resuming Server Execution After Receiving a Bad Packet........................... 8-22Configuring the Maximum Number of Authentication Attempts.......................................... 8-23 12. xiiControlling the Display of the Database Version Banner......................................................... 8-23Configuring Banners for Unauthorized Access and Auditing User Actions......................... 8-24Part III Controlling Access to Data9 Using Application Contexts to Retrieve User InformationAbout Application Contexts................................................................................................................... 9-1What Is an Application Context? .................................................................................................... 9-1Components of the Application Context........................................................................................ 9-2Where Are the Application Context Values Stored?.................................................................... 9-2Benefits of Using Application Contexts.......................................................................................... 9-2How Editions Affects Application Context Values....................................................................... 9-3Types of Application Contexts .............................................................................................................. 9-3Using Database Session-Based Application Contexts ...................................................................... 9-4About Database Session-Based Application Contexts.................................................................. 9-4Creating a Database Session-Based Application Context............................................................ 9-5Creating a PL/SQL Package to Set the Database Session-Based Application Context........... 9-6About the Package That Manages the Database Session-Based Application Context..... 9-7Using SYS_CONTEXT to Retrieve Session Information....................................................... 9-7Using Dynamic SQL with SYS_CONTEXT............................................................................. 9-8Using SYS_CONTEXT in a Parallel Query.............................................................................. 9-9Using SYS_CONTEXT with Database Links........................................................................... 9-9Using DBMS_SESSION.SET_CONTEXT to Set Session Information................................. 9-9Creating a Logon Trigger to Run a Database Session Application Context Package........... 9-11Tutorial: Creating and Using a Database Session-Based Application Context...................... 9-12About This Tutorial................................................................................................................. 9-13Step 1: Create User Accounts and Ensure the User SCOTT Is Active.............................. 9-13Step 2: Create the Database Session-Based Application Context...................................... 9-14Step 3: Create a Package to Retrieve Session Data and Set the Application Context.... 9-14Step 4: Create a Logon Trigger for the Package.................................................................. 9-15Step 5: Test the Application Context..................................................................................... 9-15Step 6: Remove the Components for This Tutorial............................................................. 9-16Initializing Database Session-Based Application Contexts Externally................................... 9-16Obtaining Default Values from Users................................................................................... 9-16Obtaining Values from Other External Resources.............................................................. 9-17Initializing Application Context Values from a Middle-Tier Server................................ 9-17Initializing Database Session-Based Application Contexts Globally...................................... 9-18About Initializing Database Session-Based Application Contexts Globally................... 9-18Using Database Session-Based Application Contexts with LDAP................................... 9-18How Globally Initialized Database Session-Based Application Contexts Work............ 9-19Example of Initializing a Database Session-Based Application Context Globally......... 9-19Using Externalized Database Session-Based Application Contexts........................................ 9-21Using Global Application Contexts................................................................................................... 9-22About Global Application Contexts............................................................................................. 9-22Using Global Application Contexts in an Oracle Real Application Clusters Environment. 9-23Creating a Global Application Context........................................................................................ 9-23Creating a PL/SQL Package to Manage a Global Application Context................................. 9-23 13. xiiiAbout the Package That Manages the Global Application Context................................. 9-24How Editions Affects the Results of a Global Application Context PL/SQL Package. 9-24Setting the DBMS_SESSION.SET_CONTEXT username and client_id Parameters...... 9-25Sharing Global Application Context Values for All Database Users............................... 9-25Setting a Global Context for Database Users Who Move Between Applications........... 9-27Setting a Global Application Context for Nondatabase Users ......................................... 9-28Clearing Session Data When the Session Closes................................................................. 9-31Embedding Calls in Middle-Tier Applications to Manage the Client Session ID................. 9-32About Managing Client Session IDs Using a Middle-Tier Application.......................... 9-32Retrieving the Client Session ID Using a Middle-Tier Application................................. 9-32Setting the Client Session ID Using a Middle-Tier Application....................................... 9-33Clearing Session Data Using a Middle-Tier Application................................................... 9-34Tutorial: Creating a Global Application Context That Uses a Client Session ID................... 9-35About This Tutorial................................................................................................................. 9-35Step 1: Create User Accounts................................................................................................. 9-35Step 2: Create the Global Application Context.................................................................... 9-36Step 3: Create a Package for the Global Application Context........................................... 9-36Step 4: Test the Global Application Context........................................................................ 9-37Step 5: Remove the Components for This Tutorial............................................................. 9-39Global Application Context Processes......................................................................................... 9-39Simple Global Application Context Process........................................................................ 9-39Global Application Context Process for Lightweight Users.............................................. 9-40Using Client Session-Based Application Contexts......................................................................... 9-42About Client Session-Based Application Contexts.................................................................... 9-42Setting a Value in the CLIENTCONTEXT Namespace............................................................. 9-43Retrieving the CLIENTCONTEXT Namespace.......................................................................... 9-43Clearing a Setting in the CLIENTCONTEXT Namespace........................................................ 9-44Clearing All Settings in the CLIENTCONTEXT Namespace................................................... 9-44Application Context Data Dictionary Views ................................................................................... 9-4510 Using Oracle Virtual Private Database to Control Data AccessAbout Oracle Virtual Private Database ............................................................................................ 10-1What Is Oracle Virtual Private Database? .................................................................................. 10-1Benefits of Using Oracle Virtual Private Database Policies...................................................... 10-2Basing Security Policies on Database Objects Rather Than Applications....................... 10-2Controlling How Oracle Database Evaluates Policy Functions........................................ 10-3Who Can Create Oracle Virtual Private Database Policies?..................................................... 10-3Which Privileges Are Used to Run Oracle Virtual Private Database Policy Functions?...... 10-3Using Oracle Virtual Private Database with an Application Context..................................... 10-3Using Oracle Virtual Private Database in a Multitenant Environment.................................. 10-4Components of an Oracle Virtual Private Database Policy .......................................................... 10-4Creating a Function to Generate the Dynamic WHERE Clause............................................... 10-4Creating a Policy to Attach the Function to the Objects You Want to Protect....................... 10-5Configuring an Oracle Virtual Private Database Policy................................................................ 10-6About Oracle Virtual Private Database Policies......................................................................... 10-6Attaching a Policy to a Database Table, View, or Synonym..................................................... 10-7Enforcing Policies on Specific SQL Statement Types................................................................. 10-8 14. xivControlling the Display of Column Data with Policies............................................................. 10-8Adding Policies for Column-Level Oracle Virtual Private Database............................... 10-9Displaying Only the Column Rows Relevant to the Query.............................................. 10-9Using Column Masking to Display Sensitive Columns as NULL Values..................... 10-10Working with Oracle Virtual Private Database Policy Groups.............................................. 10-11About Oracle Virtual Private Database Policy Groups.................................................... 10-12Creating a New Oracle Virtual Private Database Policy Group..................................... 10-12Designating a Default Policy Group with the SYS_DEFAULT Policy Group.............. 10-13Establishing Multiple Policies for Each Table, View, or Synonym................................. 10-13Validating the Application Used to Connect to the Database......................................... 10-14Optimizing Performance by Using Oracle Virtual Private Database Policy Types............ 10-14About Oracle Virtual Private Database Policy Types....................................................... 10-15Using the Dynamic Policy Type to Automatically Rerun Policy Functions................. 10-15Using a Static Policy to Prevent Policy Functions from Rerunning for Each Query... 10-16Using a Shared Static Policy to Share a Policy with Multiple Objects........................... 10-17When to Use Static and Shared Static Policies................................................................... 10-17Using a Context-Sensitive Policy for Application Context Attributes That Change... 10-17Using a Shared Context Sensitive Policy to Share a Policy with Multiple Objects...... 10-19When to Use Context-Sensitive and Shared Context-Sensitive Policies........................ 10-20Summary of the Five Oracle Virtual Private Database Policy Types............................. 10-20Tutorials: Creating Oracle Virtual Private Database Policies .................................................... 10-21Tutorial: Creating a Simple Oracle Virtual Private Database Policy..................................... 10-21About This Tutorial............................................................................................................... 10-21Step 1: Ensure That the OE User Account Is Active......................................................... 10-21Step 2: Create a Policy Function........................................................................................... 10-22Step 3: Create the Oracle Virtual Private Database Policy............................................... 10-22Step 4: Test the Policy............................................................................................................ 10-23Step 5: Remove the Components for This Tutorial........................................................... 10-23Tutorial: Implementing a Policy with a Database Session-Based Application Context..... 10-24About This Tutorial............................................................................................................... 10-24Step 1: Create User Accounts and Sample Tables............................................................. 10-24Step 2: Create a Database Session-Based Application Context....................................... 10-26Step 3: Create a PL/SQL Package to Set the Application Context................................. 10-26Step 4: Create a Logon Trigger to Run the Application Context PL/SQL Package..... 10-27Step 5: Create a PL/SQL Policy Function to Limit User Access to Their Orders......... 10-27Step 6: Create the New Security Policy............................................................................... 10-28Step 7: Test the New Policy.................................................................................................. 10-28Step 8: Remove the Components for This Tutorial........................................................... 10-29Tutorial: Implementing an Oracle Virtual Private Database Policy Group......................... 10-30About This Tutorial............................................................................................................... 10-30Step 1: Create User Accounts and Other Components for This Tutorial....................... 10-30Step 2: Create the Two Policy Groups................................................................................ 10-31Step 3: Create PL/SQL Functions to Control the Policy Groups.................................... 10-32Step 4: Create the Driving Application Context................................................................ 10-33Step 5: Add the PL/SQL Functions to the Policy Groups................................................ 10-34Step 6: Test the Policy Groups.............................................................................................. 10-34Step 7: Remove the Components for This Tutorial........................................................... 10-35 15. xvHow Oracle Virtual Private Database Works with Other Oracle Features.............................. 10-36Using Oracle Virtual Private Database Policies with Editions............................................... 10-36Using SELECT FOR UPDATE in User Queries on VPD-Protected Tables........................... 10-36How Oracle Virtual Private Database Policies Affect Outer or ANSI Join Operations...... 10-37How Oracle Virtual Private Database Security Policies Work with Applications.............. 10-37Using Automatic Reparsing for Fine-Grained Access Control Policy Functions................ 10-37Using Oracle Virtual Private Database Policies and Flashback Query................................. 10-38Using Oracle Virtual Private Database and Oracle Label Security........................................ 10-38Using Oracle Virtual Private Database to Enforce Oracle Label Security Policies....... 10-38Oracle Virtual Private Database and Oracle Label Security Exceptions ....................... 10-39Exporting Data Using the EXPDP Utility access_method Parameter................................... 10-40User Models and Oracle Virtual Private Database.................................................................. 10-40Oracle Virtual Private Database Data Dictionary Views ............................................................ 10-4211 Using Transparent Sensitive Data ProtectionAbout Transparent Sensitive Data Protection................................................................................. 11-1General Steps for Using Transparent Sensitive Data Protection................................................. 11-1Use Cases for Transparent Sensitive Data Protection Policies..................................................... 11-2Privileges Required for Using Transparent Sensitive Data Protection...................................... 11-3Creating Transparent Sensitive Data Protection Policies ............................................................. 11-3Step 1: Create a Sensitive Type...................................................................................................... 11-4Step 2: Identify the Sensitive Columns to Protect...................................................................... 11-4Step 3: Import the Sensitive Columns List from ADM into Your Database........................... 11-5Step 4: Create the Transparent Sensitive Data Protection Policy............................................. 11-5Step 5: Associate the Policy with a Sensitive Type..................................................................... 11-8Step 6: Enable the Transparent Sensitive Data Protection Policy............................................ 11-9Step 7: Optionally, Export the Policy to Other Databases....................................................... 11-10Altering Transparent Sensitive Data Protection Policies ............................................................ 11-10Disabling Transparent Sensitive Data Protection Policies ......................................................... 11-11Dropping Transparent Sensitive Data Protection Policies ......................................................... 11-12Using the Predefined REDACT_AUDIT Policy to Mask Bind Values .................................... 11-14About the REDACT_AUDIT Policy........................................................................................... 11-14How Bind Variables Are Considered to be Associated with Sensitive Columns................ 11-14Bind Variables and Sensitive Columns in the Expressions of Conditions.................... 11-14A Bind Variable and a Sensitive Column Appearing in the Same SELECT Item........ 11-15Bind Variables in Expressions Assigned to Sensitive Columns in INSERT or UPDATE Operations 11-16How Bind Variables on Sensitive Columns Behave with Views........................................... 11-16Disabling and Enabling the REDACT_AUDIT Policy............................................................. 11-16Using Transparent Sensitive Data Protection Policies with Other Oracle Features.............. 11-17Using Transparent Sensitive Data Protection Policies with Data Redaction....................... 11-17Using Transparent Sensitive Data Protection Policies with Oracle VPD Policies............... 11-18About Using TSDP Policies with Oracle Virtual Private Database Policies.................. 11-18DBMS_RLS.ADD_POLICY Parameters That Are Used for TSDP Policies................... 11-19Tutorial: Creating a TSDP Policy That Uses Virtual Private Database Protection....... 11-19How a Multitenant Environment Affects Transparent Sensitive Data Protection.............. 11-23Transparent Sensitive Data Protection Data Dictionary Views................................................. 11-23 16. xvi12 Manually Encrypting DataSecurity Problems That Encryption Does Not Solve ..................................................................... 12-1Principle 1: Encryption Does Not Solve Access Control Problems......................................... 12-1Principle 2: Encryption Does Not Protect Against a Malicious Database Administrator.... 12-2Principle 3: Encrypting Everything Does Not Make Data Secure .......................................... 12-3Data Encryption Challenges................................................................................................................ 12-4Encrypted Indexed Data................................................................................................................ 12-4Generated Encryption Keys........................................................................................................... 12-4Transmitted Encryption Keys....................................................................................................... 12-5Storing Encryption Keys................................................................................................................ 12-5Storage of Encryption Keys in the Database........................................................................ 12-5Storage of Encryption Keys in the Operating System........................................................ 12-6Users Managing Their Own Encryption Keys..................................................................... 12-7Using Transparent Database Encryption and Tablespace Encryption............................ 12-7Importance of Changing Encryption Keys.................................................................................. 12-7Encryption of Binary Large Objects.............................................................................................. 12-7Data Encryption Storage with the DBMS_CRYPTO Package...................................................... 12-7Examples of Using the Data Encryption API................................................................................... 12-9Example: Data Encryption Procedure.......................................................................................... 12-9Example: AES 256-Bit Data Encryption and Decryption Procedures................................... 12-11Example: Encryption and Decryption Procedures for BLOB Data........................................ 12-11Data Dictionary Views for Encrypted Data ................................................................................... 12-14Part IV Securing Data on the Network13 Configuring Network Data Encryption and IntegrityAbout Oracle Data Network Encryption and Integrity ................................................................. 13-1About Oracle Data Network Encryption and Integrity............................................................. 13-1Advanced Encryption Standard................................................................................................... 13-1DES Algorithm Support................................................................................................................. 13-2Triple-DES Support......................................................................................................................... 13-2DES40 Algorithm..................................................................................................................... 13-2RSA RC4 Algorithm for High Speed Encryption....................................................................... 13-2Oracle Database Network Encryption Data Integrity.................................................................... 13-2Data Integrity Algorithms Support.............................................................................................. 13-3Diffie-Hellman Based Key Negotiation ........................................................................................... 13-3Authentication Key Fold-in........................................................................................................... 13-3How to Configure Data Encryption and Integrity.......................................................................... 13-4About Configuring Data Encryption and Integrity................................................................... 13-4About Activating Encryption and Integrity................................................................................ 13-4About Negotiating Encryption and Integrity............................................................................. 13-4About the Values for Negotiating Encryption and Integrity............................................ 13-5REJECTED................................................................................................................................. 13-5ACCEPTED............................................................................................................................... 13-5REQUESTED............................................................................................................................. 13-6REQUIRED................................................................................................................................ 13-6 17. xviiConfiguring Encryption and Integrity Parameters Using Oracle Net Manager.................... 13-6Configuring Encryption on the Client and the Server........................................................ 13-7Configuring Integrity on the Client and the Server............................................................ 13-814 Configuring the Thin JDBC Client NetworkAbout the Java Implementation ......................................................................................................... 14-1Java Database Connectivity Support................................................................................................. 14-1Thin JDBC Features .............................................................................................................................. 14-2Implementation Overview .................................................................................................................. 14-3Obfuscation of the Java Cryptography Code................................................................................... 14-3Configuration Parameters for the Thin JDBC Network Implementation ................................. 14-3About the Thin JDBC Network Implementation Configuration Parameters......................... 14-3Client Encryption Level Parameter.............................................................................................. 14-4Client Encryption Selected List Parameter.................................................................................. 14-4Client Integrity Level Parameter................................................................................................... 14-5Client Integrity Selected List Parameter...................................................................................... 14-5Client Authentication Service Parameter.................................................................................... 14-5AnoServices Constants................................................................................................................... 14-6Part V Managing Strong Authentication15 Introduction to Strong AuthenticationWhat Is Strong Authentication? ......................................................................................................... 15-1Centralized Authentication and Single Sign-On............................................................................ 15-2How Centralized Network Authentication Works.................................................................... 15-2Supported Strong Authentication Methods..................................................................................... 15-3About Kerberos............................................................................................................................... 15-3About Remote Authentication Dial-In User Service (RADIUS)............................................... 15-3About Secure Sockets Layer.......................................................................................................... 15-4Oracle Database Network Encryption/Strong Authentication Architecture............................. 15-4System Requirements for Strong Authentication........................................................................... 15-5Oracle Network Encryption and Strong Authentication Restrictions........................................ 15-616 Strong Authentication Administration ToolsAbout the Configuration and Administration Tools ..................................................................... 16-1Network Encryption and Strong Authentication Configuration Tools...................................... 16-1About Network Encryption and Strong Authentication Configuration Tools...................... 16-1Oracle Net Manager........................................................................................................................ 16-1Kerberos Adapter Command-Line Utilities................................................................................ 16-2Public Key Infrastructure Credentials Management Tools .......................................................... 16-2About the Public Key Infrastructure Credentials Management Tools.................................... 16-2About Oracle Wallet Manager...................................................................................................... 16-2About the orapki Utility................................................................................................................. 16-3Duties of Strong Authentication Administrators ........................................................................... 16-3 18. xviii17 Configuring Kerberos AuthenticationEnabling Kerberos Authentication ................................................................................................... 17-1Step 1: Install Kerberos................................................................................................................... 17-1Step 2: Configure a Service Principal for an Oracle Database Server...................................... 17-2Step 3: Extract a Service Key Table from Kerberos.................................................................... 17-2Step 4: Install an Oracle Database Server and an Oracle Client............................................... 17-3Step 5: Configure Oracle Net Services and Oracle Database.................................................... 17-3Step 6: Configure Kerberos Authentication................................................................................ 17-4Step 6A: Configure Kerberos on the Client and on the Database Server........................ 17-4Step 6B: Set the Initialization Parameters............................................................................. 17-6Step 6C: Set sqlnet.ora Parameters (Optional)..................................................................... 17-6Step 7: Create a Kerberos User...................................................................................................... 17-8Step 8: Create an Externally Authenticated Oracle User........................................................... 17-8Step 9: Get an Initial Ticket for the Kerberos/Oracle User....................................................... 17-9Utilities for the Kerberos Authentication Adapter......................................................................... 17-9Obtaining the Initial Ticket with the okinit Utility.................................................................... 17-9Displaying Credentials with the oklist Utility.......................................................................... 17-10Removing Credentials from the Cache File with the okdstry Utility ................................... 17-11Connecting to an Oracle Database Server Authenticated by Kerberos................................. 17-11Configuring Interoperability with a Windows 2008 Domain Controller KDC...................... 17-11Step 1: Configure Oracle Kerberos Client for a Windows 2008 Domain Controller KDC. 17-12Step 1A: Create the Client Kerberos Configuration Files................................................. 17-12Step 1B: Specify the Oracle Configuration Parameters in the sqlnet.ora File............... 17-12Step 1C: Specify the Listening Port Number..................................................................... 17-12Step 2: Configure a Windows 2008 Domain Controller KDC for the Oracle Client............ 17-13Step 2A: Create the User Account....................................................................................... 17-13Step 2B: Create the Oracle Database Principal User Account......................................... 17-13Step 3: Configure Oracle Database for a Windows 2008 Domain Controller KDC............. 17-13Step 3A: Set Configuration Parameters in the sqlnet.ora File......................................... 17-14Step 3B: Create an Externally Authenticated Oracle User............................................... 17-14Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User............................................... 17-14Troubleshooting the Oracle Kerberos Authentication Configuration ..................................... 17-1418 Configuring Secure Sockets Layer AuthenticationSecure Sockets Layer and Transport Layer Security ...................................................................... 18-1About Secure Sockets Layer and Transport Layer Security..................................................... 18-1The Difference Between Secure Sockets Layer and Transport Layer Security...................... 18-1How Oracle Database Uses Secure Sockets Layer for Authentication.................................... 18-2How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake............ 18-2Public Key Infrastructure in an Oracle Environment .................................................................... 18-3About Public Key Infrastructure in an Oracle Environment.................................................... 18-3About Public Key Cryptography.................................................................................................. 18-3Public Key Infrastructure Components in an Oracle Environment........................................ 18-4Certificate Authority................................................................................................................ 18-4Certificates................................................................................................................................ 18-4Certificate Revocation Lists.................................................................................................... 18-5Wallets....................................................................................................................................... 18-5 19. xixHardware Security Modules.................................................................................................. 18-6Secure Sockets Layer Combined with Other Authentication Methods ..................................... 18-6Architecture: Oracle Database and Secure Sockets Layer......................................................... 18-6How Secure Sockets Layer Works with Other Authentication Methods............................... 18-6Secure Sockets Layer and Firewalls................................................................................................... 18-7Secure Sockets Layer Usage Issues.................................................................................................... 18-8Enabling Secure Sockets Layer........................................................................................................... 18-8Step 1: Configure Secure Sockets Layer on the Server.............................................................. 18-8Step 1A: Confirm Wallet Creation on the Server................................................................ 18-9Step 1B: Specify the Database Wallet Location on the Server........................................... 18-9Step 1C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)............ 18-10Step 1D: Set the Required Secure Sockets Layer Version on the Server (Optional)..... 18-13Step 1E: Set SSL Client Authentication on the Server (Optional)................................... 18-13Step 1F: Set SSL as an Authentication Service on the Server (Optional)....................... 18-14Step 1G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server........ 18-15Step 2: Configure Secure Sockets Layer on the Client............................................................. 18-15Step 2A: Confirm Client Wallet Creation........................................................................... 18-15Step 2B: Configure the Server DNs and Use TCP/IP with SSL on the Client.............. 18-15Step 2C: Specify Required Client SSL Configuration (Wallet Location)........................ 18-17Step 2D: Set the Client Secure Sockets Layer Cipher Suites (Optional)......................... 18-18Step 2E: Set the Required SSL Version on the Client (Optional)..................................... 18-20Step 2F: Set SSL as an Authentication Service on the Client (Optional)........................ 18-20Step 3: Log in to the Database Instance...................................................................................... 18-21Troubleshooting the Secure Sockets Layer Configuration......................................................... 18-21Certificate Validation with Certificate Revocation Lists............................................................. 18-24About Certificate Validation with Certificate Revocation Lists............................................. 18-24What CRLs Should You Use?...................................................................................................... 18-25How CRL Checking Works......................................................................................................... 18-25Configuring Certificate Validation with Certificate Revocation Lists.................................. 18-25About Configuring Certificate Validation with Certificate Revocation Lists............... 18-26Enabling Certificate Revocation Status Checking for the Client or Server................... 18-26Disabling Certificate Revocation Status Checking............................................................ 18-28Certificate Revocation List Management................................................................................... 18-28About Certificate Revocation List Management............................................................... 18-28Displaying orapki Help for Commands That Manage CRLs.......................................... 18-29Renaming CRLs with a Hash Value for Certificate Validation....................................... 18-29Uploading CRLs to Oracle Internet Directory................................................................... 18-30Listing CRLs Stored in Oracle Internet Directory............................................................. 18-30Viewing CRLs in Oracle Internet Directory....................................................................... 18-31Deleting CRLs from Oracle Internet Directory.................................................................. 18-31Troubl