Skip Headers
Oracle® Database Security Guide
11g Release 2 (11.2)

Part Number E10574-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

What's New in Oracle Database Security?

The Oracle Database 11g Release 2 (11.2) security features and enhancements described in this section comprise the overall effort to provide superior access control, privacy, and accountability with this release of Oracle Database.

The following sections describe new security features of Oracle Database 11g Release 2 (11.2) and provide pointers to additional information:

Oracle Database 11g Release 2 (11.2) New Security Features

This section contains:

Enhancements to the Audit Trail Cleanup Process

Oracle Database 11g Release 2 (11.2) introduces several enhancements to the audit trail cleanup process. In this release, you can:

Enhancements to Directory Objects

This section contains:

EXECUTE Privilege Available for Directory Objects

You now can grant users the EXECUTE privilege on directory objects that contain a user-supplied preprocessor program for use by the ORACLE_LOADER access driver. This prevents the user from accidentally or maliciously corrupting the preprocessor program. The SQL statements that are affected by the EXECUTE privilege are GRANT and REVOKE. The ORACLE_LOADER access parameters now include the PREPROCESSOR clause, which you can use to specify the name and location of a preprocessor program that modifies the contents of a data file so that the ORACLE_LOADER access driver can read it.

For more information about using the ORACLE_LOADER access driver preprocessor, see the following:

Ability to Audit Directory Objects

You now can audit the EXECUTE privilege on directory objects. This enables you to monitor users who run a preprocessor program (which is used by the ORACLE_LOADER access driver) that has been added to a directory object.

See "Auditing Directory Objects" for more information.

Enhancements to Fine-Grained Access to External Network Services

The previous release of Oracle Database introduced the ability to create fine-grained access control to external network services. In this release, the following enhancements are available:

See "Managing Fine-Grained Access in PL/SQL Network Utility Packages" for more information.

Global Application Contexts Available Across Oracle RAC Instances

In this release, changes to global application context values are automatically accessible across all Oracle Real Application Clusters (Oracle RAC) instances.

See "Using Global Application Contexts" for more information about creating a global application context.

Secure Sockets Layer (SSL) Version 2 Support Change

Starting with Oracle Database 11g Release 2 (11.2), SSL version 2 is no longer included in the default list of default supported protocols. If your applications must use SSL version 2, then you can do so by explicitly setting SSL version 2 while maintaining the connection. See Oracle Database Advanced Security Administrator's Guide for more information.

Tablespace Master Key Rekey: Changing the Encryption Key Password

In this release, Oracle Advanced Security enables you to change the master key that protects the encryption keys used to encrypt Oracle Database tablespaces. Industry initiatives, such as the Payment Card Industry Data Security Standard (PCI DSS), mandate periodic rotation of encryption keys associated with credit card data. See Oracle Database Advanced Security Administrator's Guide for more information about tablespace encryption.

Deprecated Security-Related Features

This section contains:

DB_EXTENDED Setting for the AUDIT_TRAIL Parameter Deprecated

The DB_EXTENDED setting in the AUDIT_TRAIL initialization parameter has been deprecated. Instead, use the DB, EXTENDED setting in its place.

See "Configuring Standard Auditing with the AUDIT_TRAIL Initialization Parameter" for more information.

WKUSER Role and Ultra Search Schemas Deprecated

The WKUSER role and the WKSYS, WKTEST, WKPROXY schemas have been deprecated. For more information about Oracle Ultra Search, see Oracle Ultra Search Administrator's Guide.

Database Configuration Assistant No Longer Provides Default Security Settings

In the previous release of Oracle Database, you could use Database Configuration Assistant (DBCA) to add password security and audit options to a new database. This option is not available in this release. In this release, DBCA automatically adds audit options and password policies to new databases.

See the following sections for more information:

ALTER USER Clause AUTHENTICATED USING PASSWORD Deprecated

The AUTHENTICATED USING PASSWORD clause of the ALTER USER statement has been deprecated for this release. If you use this clause, Oracle Database converts it to the AUTHENTICATION REQUIRED clause. If you do not specify the AUTHENTICATION REQUIRED clause, then Oracle Database uses either the AUTHENTICATED USING CERTIFICATE clause or the AUTHENTICATED USING DISTINGUISHED NAME clause.

See Oracle Database SQL Language Reference for more information about the ALTER USER statement options.

Password for the listener.ora File Deprecated

Setting a password for the listener.ora file has been deprecated for this release, because it is no longer needed. In the next release, the listener password will not be supported.

Oracle Database 11g Release 1 (11.1) New Security Features

This section contains:

Automatic Secure Configuration

When you create a new database, you can use Database Configuration Assistant (DBCA) to automatically create a more secure configuration than in previous releases of Oracle Database. You can enable the following secure configuration settings in one operation:

To configure your database for greater security, follow the guidelines in Chapter 10, "Keeping Your Oracle Database Secure."

New Password Protections

Oracle Database now includes the following new password protections:

SYSDBA and SYSOPER Strong Authentication

You can now use the Secure Sockets Layer (SSL) and Kerberos strong authentication methods to authenticate users who have the SYSDBA and SYSOPER privileges.

See "Strong Authentication and Centralized Management for Database Administrators" for more information.

SYSASM Privilege for Automatic Storage Management

The SYSASM system privilege has been added to Oracle Database 11g Release 2 (11.2), to be used exclusively to administer Automatic Storage Management (ASM). Use the SYSASM privilege instead of the SYSDBA privilege to connect to and administer ASM instances.

See Oracle Database Storage Administrator's Guide for more information about the SYSASM privilege.

Encryption Enhancements

This section describes the following enhancements in encryption:

Intelligent LOB Compression, Deduplication, and Encryption with SecureFiles

Oracle Database supports a new, faster, and scalable Large Object (LOB) storage paradigm called SecureFiles. SecureFiles, in addition to performance, supports efficient compression, deduplication (that is, coalescing duplicate data), and encryption. LOB data can now be encrypted with Oracle Database, and is available for random reads and writes.

For more information about SecureFiles, see Oracle Database SecureFiles and Large Objects Developer's Guide. See also Oracle Database SQL Language Reference for updates in the CREATE TABLE and ALTER TABLE statements to support this feature.

Compressed and Encrypted Dump File Sets

In this release, you can use Oracle Data Pump to compress and encrypt an entire dump file set. You can optionally compress and encrypt the data, metadata, or complete dump file set during an Oracle Data Pump export.

For more information, see Oracle Database Utilities.

Transparent Data Encryption with Hardware Security Module Integration

Transparent data encryption (TDE) stores the master key in an encrypted software wallet and uses this key to encrypt the column keys, which in turn encrypt column data. While this approach to key management is sufficient for many applications, it may not be sufficient for environments that require stronger security. TDE has been extended to use hardware security modules (HSMs). This enhancement provides high assurance requirements of protecting the master key.

This release enables you to store the TDE master encryption key within a hardware security module (HSM) at all times, leveraging its key management capabilities. Only the table keys (for TDE column encryption) and tablespace keys (for TDE tablespace encryption) are decrypted on the HSM, before they are returned to the database; the encryption and decryption of application data remains with the database. Oracle recommends that you encrypt the traffic between HSM device and databases. This new feature provides additional security for transparent data encryption, because the master encryption key cannot leave the HSM, neither in clear text nor in encrypted format. Furthermore, it enables the sharing of the same key between multiple databases and instances in an Oracle Real Applications Clusters (Oracle RAC) or Data Guard environment.

To configure transparent data encryption with hardware security module integration, see Oracle Database Advanced Security Administrator's Guide.

Transparent Tablespace Encryption

Transparent tablespace encryption enables you to encrypt an entire tablespace. This encryption includes all the data within the tablespace. When an application accesses the tablespace, Oracle Database transparently decrypts the relevant data blocks for the application.

Tablespace encryption provides an alternative to transparent data encryption column encryption. This eliminates the need for granular analysis of applications to determine which columns to encrypt, especially for applications with a large number of columns containing personally identifiable information (PII) such as Social Security numbers or patient health care records. If your tables have small amounts of data to encrypt, you can continue to use the transparent data encryption column encryption solution.

For an introduction to transparent encryption, see Oracle Database 2 Day + Security Guide. For detailed information about transparent tablespace encryption, see Oracle Database Advanced Security Administrator's Guide.

Fine-Grained Access Control on Network Services on the Database

Oracle Database provides a set of PL/SQL utility packages, such as UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, and UTL_INADDR, that are designed to enable database users to access network services on the database. Oracle Database PL/SQL Packages and Types Reference describes the PL/SQL utility packages in detail.

In a default database installation, these packages are created with EXECUTE privileges granted to PUBLIC users. This release enhances the security of these packages by providing database administrators the ability to control access to applications in the database that use these packages.

See "Managing Fine-Grained Access in PL/SQL Network Utility Packages" for more information.

Change to AUDIT BY SESSION

The BY SESSION clause of the AUDIT statement now writes one audit record for every audited event. In previous releases, BY SESSION wrote one audit record for all SQL statements or operations of the same type that were executed on the same schema objects in the same user session. Now, both BY SESSION and BY ACCESS write one audit record for each audit operation. In addition, there are separate audit records for LOGON and LOGOFF events. If you omit the BY ACCESS clause, then BY SESSION is used as the default.

The audit record that BY SESSION generates is different from the BY ACCESS audit record. Oracle recommends that you include the BY ACCESS clause for all AUDIT statements, which results in a more detailed audit record. In the case of LOGOFF events, the timestamp for the audit record has a greater precision than in previous releases.

Be aware that this change applies to schema object audit options, statement options, and system privileges that audit SQL statements other than data definition language (DDL) statements. Oracle Database has always audited using the BY ACCESS clause on all SQL statements and system privileges that audit a DDL statement.

See the following sections for more information:

Oracle XML DB Security Enhancements

This section contains:

XML Translation Support for Oracle Database XML

Security objects are now stored in the Oracle XML DB repository as XMLType objects. These security objects can contain strings that need to be translated to different languages so that they can be searched or displayed in those languages. Developers can store translated strings with the XMLType and retrieve and operate on these strings depending on the language settings of the user. The advantage of this feature is that it reduces the costs associated with developing applications that are independent of the target preferred language of the user.

To configure security for XMLType objects, see Oracle XML DB Developer's Guide.

Support for Web Services

You can now use the Oracle XML DB HTTP server for service-oriented architecture (SOA) operations. This allows the database to be treated as simply another service provider in an SOA environment. Security administrators can control user access to Oracle Database Web services and their associated database objects by using the XDB_WEBSERVICES, XDB_WEBSERVICES_OVER_HTTP, and XDB_WEBSERVICES_WITH_PUBLIC predefined roles.

To configure Oracle Database Web services, see Oracle XML DB Developer's Guide.For information on this feature's predefined roles, see Table 4-3, "Oracle Database Predefined Roles".

Directory Security Enhancements

In this release, administrators can now disallow anonymous access to database service information in a directory and require clients to authenticate when performing LDAP directory-based name look-ups. If you are using Microsoft Active Directory-based name lookups, then Oracle Database uses the native operating system-based authentication. If you are using Oracle Internet Directory (OID)-based name lookups, then Oracle Database performs authentication by using wallets.

To configure directory security, see Oracle Database Net Services Reference.

Oracle Call Interface Security Enhancements

The following security enhancements are available for Oracle Call Interface (OCI):

Database administrators can manage these security enhancements for Oracle Call Interface developers by configuring a set of new initialization parameters. See Parameters for Enhanced Security of Database Communication for more information. See also Oracle Call Interface Programmer's Guide for detailed information on Oracle Call Interface.