Oracle database security

Similar Messages

• How do I use Oracle Database Security in my HTML DB App?

  I have an existing client server application that each user has a database account. These accounts are set up currently to allow and disallow appropriate access to data via Database Rolls. I want to augment the client server application with a HTML DB application and want to use the already created database accounts. Can this be done?

  Chris,
  HTML DB parses the SQL and PL/SQL in your application as the "parse as" schema, or owner, of the application. The new database session created for each page view runs for the connected user HTMLDB_PUBLIC_USER (for DADs with stored credentials) or for the user authenticated by the basic authentication challenge (your situation).
  You can access the USER pseudo-column within the session to set audit columns with the name of the connected user. This is not the name of the application schema.
  Basic Authentication is not the only way to authenticate against database accounts. You can easily implement a login page of your own with a PL/SQL process that checks the user's credentials against the database account. Our team implemented HTML DB extensions to (and ultimately replacements for) a very complex Forms-based system having an architecture probably very similar to yours. In this environment we would set the APP_USER item to the authenticated username and use it for audit columns and for authorization checks within the application. During this 2-year project, we adopted a couple of best practices that you might want to consider: 1) All DML is performed using table-level APIs (which are easy to generate automatically), and 2) Table-level APIs are called only from transaction-level APIs, which often involve multiple calls to table-level APIs. We would implement all authorization checks at the transaction level, either within the APIs themselves, or also on the HTML DB controls around them (buttons, processes, etc.). Abstracting the security rules away from the database objects allowed them to be formulated in terms of business processes and relates them more closely to the logical data model.
  That's an approach you can think about. If you do continue to use basic authentication and direct or role-enabled object privileges, you can still make your DML, triggers, and APIs user-aware as I noted above or by using invoker's rights packages/procedures.
  Finally, HTML DB is not a client-server emulation tool. Its security model facilitates flexible and secure database access appropriate for a declarative development environment (possible hosted) and application deployment to web-based users.
  Do let us know if we can help with specific issues as you go forward.
  Scott

• Connection pooling and auditing on an oracle database

  Integration of a weblogic application with an oracle backend,
  Connection pooling, and auditing ,2 conflicting requirements ?
  Problem statement :
  We are in the process of maintaining a legacy client server application where
  the client is
  written in PowerBuilder and the backend is using an Oracle database.
  Almost all business logic is implemented in stored procedures on the database.
  When working in client/server mode ,1 PowerBuilder User has a one-to-one relation
  with
  a connection(session) on the oracle database.
  It is a requirement that the database administrator must see the real user connected
  to the database
  and NOT some kind of superuser, therefore in the PowerBuilder app each user connects
  to the database
  with his own username.(Each user is configured on the database via a seperate
  powerbuilder security app).
  For the PowerBuilder app all is fine and this app can maintain conversional state(setting
  and
  reading of global variables in oracle packages).
  The management is pushing for web-based application where we will be using bea
  weblogic appserver(J2EE based).
  We have build an business app which is web-based and accessing the same oracle
  backend app as
  the PowerBuilder app is doing.
  The first version of this web-based app is using a custom build connector(based
  on JCA standard and
  derived from a template provided by the weblogic integration installation).
  This custom build connector is essentially a combination of a custom realm in
  weblogic terms
  and a degraded connection pool , where each web session(browser) has a one-to-one
  relation
  with the back end database.
  The reason that this custom connector is combining the security functionality
  and the pooling
  functionality , is because each user must be authenticated against the oracle
  database(security requirement)
  and NOT against a LDAP server, and we are using a statefull backend(oracle packages)
  which would make it
  difficult to reuse connections.
  A problem that surfaced while doing heavy loadtesting with the custom connector,
  is that sometimes connections are closed and new ones made in the midst of a transaction.
  If you imagine a scenario where a session bean creates a business entity ,and
  the session bean
  calls 1 entity bean for the header and 1 entity bean for the detail, then the
  header and detail
  must be created in the same transaction AND with the same connection(there is
  a parent-child relationship
  between header and detail enforced on the back end database via Primary and Foreing
  Keys).
  We have not yet found why weblogic is closing the connection!
  A second problem that we are experincing with the custom connector, is the use
  of CMP(container managed persistence)
  within entity beans.
  The J2EE developers state that the use of CMP decreases the develoment time and
  thus also maintenance costs.
  We have not yet found a way to integrate a custom connector with the CMP persistence
  scheme !
  In order to solve our loadtesting and CMP persistence problems i was asked to
  come up with a solution
  which should not use a custom connector,but use standard connection pools from
  weblogic.
  To resolve the authentication problem on weblogic i could make a custom realm
  which connects to the
  backend database with the username and password, and if the connection is ok ,
  i could consider this
  user as authenticated in weblogic.
  That still leaves me with the problem of auditing and pooling.
  If i were to use a standard connection pool,then all transaction made in the oracle
  database
  would be done by a pool user or super user, a solution which will be rejected
  by our local security officer,
  because you can not see which real user made a transaction in the database.
  I could still use the connection pool and in the application , advise the application
  developers
  to set an oracle package variable with the real user, then on arrival of the request
  in the database,
  the logic could use this package variable to set the transaction user.
  There are still problems with this approach :
  - The administrator of the database can still not see who is connected , he will
  only see the superuser connection.
  - This scheme can not be used when you want to use CMP persistence , since it
  is weblogic who will generate the code
  to access the database.
  I thought i had a solution when oracle provided us with a connection pool known
  as OracleOCIConnectionPool
  where there is a connection made by a superuser, but where sessions are multiplexed
  over this physical pipe with the real user.
  I can not seem to properly integrate this OCI connectionpool into weblogic.
  When using this pool , and we are coming into a bean (session or entity bean)
  weblogic is wrapping
  this pool with it's own internal Datasource and giving me back a connection of
  the superuser, but not one for the real user,
  thus setting me with my back to the wall again.
  I would appreciate if anyone had experienced the same problem to share a possible
  solution with us
  in order to satisfy all requirements(security,auditing,CMP).
  Many Thanks
  Blyau Gino
  [email protected]

  Hi Blyau,
  As Joe has already provided some technical advice,
  I'll try to say something on engineering process level.
  While migrating an application from one technology to
  other, like client-server to n-tier in you case, customers and
  stakeholders want to push into the new system as many old
  requirements as possible. This approach is AKA "we must
  have ALL of the features of the old system". Mostly it happens
  because they don't know what they want. Ad little understanding
  of abilities of the new technology, and you will get a requirement
  like the one you have in you hands.
  I think "DBA must see real user" is one of those. For this
  type of requirements it can make sense to try to drop it,
  or to understand its nature and suggest alternatives. In this
  particular case it can be a system that logs user names,
  login and logout times.
  Blind copying of old features into an incompatible new architecture
  may endanger the whole project and can result in its failure.
  Hope this helps.
  Regards,
  Slava Imeshev
  "Blyau Gino" <[email protected]> wrote in message
  news:[email protected]...
  >
  Integration of a weblogic application with an oracle backend,
  Connection pooling, and auditing ,2 conflicting requirements ?
  Problem statement :
  We are in the process of maintaining a legacy client server applicationwhere
  the client is
  written in PowerBuilder and the backend is using an Oracle database.
  Almost all business logic is implemented in stored procedures on thedatabase.
  When working in client/server mode ,1 PowerBuilder User has a one-to-onerelation
  with
  a connection(session) on the oracle database.
  It is a requirement that the database administrator must see the real userconnected
  to the database
  and NOT some kind of superuser, therefore in the PowerBuilder app eachuser connects
  to the database
  with his own username.(Each user is configured on the database via aseperate
  powerbuilder security app).
  For the PowerBuilder app all is fine and this app can maintainconversional state(setting
  and
  reading of global variables in oracle packages).
  The management is pushing for web-based application where we will be usingbea
  weblogic appserver(J2EE based).
  We have build an business app which is web-based and accessing the sameoracle
  backend app as
  the PowerBuilder app is doing.
  The first version of this web-based app is using a custom buildconnector(based
  on JCA standard and
  derived from a template provided by the weblogic integrationinstallation).
  This custom build connector is essentially a combination of a custom realmin
  weblogic terms
  and a degraded connection pool , where each web session(browser) has aone-to-one
  relation
  with the back end database.
  The reason that this custom connector is combining the securityfunctionality
  and the pooling
  functionality , is because each user must be authenticated against theoracle
  database(security requirement)
  and NOT against a LDAP server, and we are using a statefull backend(oraclepackages)
  which would make it
  difficult to reuse connections.
  A problem that surfaced while doing heavy loadtesting with the customconnector,
  >
  is that sometimes connections are closed and new ones made in the midst ofa transaction.
  If you imagine a scenario where a session bean creates a business entity,and
  the session bean
  calls 1 entity bean for the header and 1 entity bean for the detail, thenthe
  header and detail
  must be created in the same transaction AND with the same connection(thereis
  a parent-child relationship
  between header and detail enforced on the back end database via Primaryand Foreing
  Keys).
  We have not yet found why weblogic is closing the connection!
  A second problem that we are experincing with the custom connector, is theuse
  of CMP(container managed persistence)
  within entity beans.
  The J2EE developers state that the use of CMP decreases the develomenttime and
  thus also maintenance costs.
  We have not yet found a way to integrate a custom connector with the CMPpersistence
  scheme !
  In order to solve our loadtesting and CMP persistence problems i was askedto
  come up with a solution
  which should not use a custom connector,but use standard connection poolsfrom
  weblogic.
  To resolve the authentication problem on weblogic i could make a customrealm
  which connects to the
  backend database with the username and password, and if the connection isok ,
  i could consider this
  user as authenticated in weblogic.
  That still leaves me with the problem of auditing and pooling.
  If i were to use a standard connection pool,then all transaction made inthe oracle
  database
  would be done by a pool user or super user, a solution which will berejected
  by our local security officer,
  because you can not see which real user made a transaction in thedatabase.
  I could still use the connection pool and in the application , advise theapplication
  developers
  to set an oracle package variable with the real user, then on arrival ofthe request
  in the database,
  the logic could use this package variable to set the transaction user.
  There are still problems with this approach :
  - The administrator of the database can still not see who is connected ,he will
  only see the superuser connection.
  - This scheme can not be used when you want to use CMP persistence , sinceit
  is weblogic who will generate the code
  to access the database.
  I thought i had a solution when oracle provided us with a connection poolknown
  as OracleOCIConnectionPool
  where there is a connection made by a superuser, but where sessions aremultiplexed
  over this physical pipe with the real user.
  I can not seem to properly integrate this OCI connectionpool intoweblogic.
  When using this pool , and we are coming into a bean (session or entitybean)
  weblogic is wrapping
  this pool with it's own internal Datasource and giving me back aconnection of
  the superuser, but not one for the real user,
  thus setting me with my back to the wall again.
  I would appreciate if anyone had experienced the same problem to share apossible
  solution with us
  in order to satisfy all requirements(security,auditing,CMP).
  Many Thanks
  Blyau Gino
  [email protected]

• Assigning role to role doesn't work when applying Database security model

  I applied Oracle Database security model for BI Publisher.
  then I create some roles and users and assigned roles to users in Oracle Database.
  i also assigned appropriate folders to each role in BI Publisher.
  the users with direct roles worked successfully but i got problem when i assigned roles to a super role, and assigned this role to a super user.
  the super user could only access guest folder.
  Please help me.
  thanks.
  Daniel
  Edited by: user13344498 on Jul 5, 2010 11:13 PM

  Add a Role to a Role:
  1. From the Security Center, select Roles and Permissions; this will invoke the
  Security Center page. Here you can see the list of existing roles and permissions.
  2. Select the Add Roles icon for the Role.
  3. Select the desired role from the Available Roles list and use the Move shuttle
  button to move it to the Included Roles.
  this is from "Oracle® Business Intelligence Publisher User's Guide Release 10.1.3.2 Part No. B40017-01" book, but the security model is BI Publisher Security.

• Oracle Database Vault

  Dear Guys,
  I am searching for Oracle database security software and got some information that Oracle database vault serves the purpose. Please let me know what are the supported database releases (e.g. 8i, 9i, 10g, 11g) which can be integrated with Oracle database vault latest version.

  What is the difference between
  http://www.oracle.com/us/products/database/options/database-vault/overview/index.html
  AND
  What’s New in Oracle Audit Vault and Database Firewall Release 12.1.1

• How to install Oracle Label Security in Oracle Database 10g EE

  Hello All
  I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
  I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
  I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
  M.
  Sorry about my English.

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

• Hi, I don't know how to find a specific security patch to apply to my Oracle database version to fix a vulnerability

  Hi, I don't know how to find a specific security patch to apply to my Oracle database version 11.2.0.2.0 (on windows server 2003 32 bits) to fix the following vulnerability:
  Risk: High
  Application: oracle_tnslsnr
  Port: 1521
  Protocol: tcp
  Synopsis:
  It is possible to register with a remote Oracle TNS listener.
  Description:
  The remote Oracle TNS listener allows service registration from a remote host. An attacker can exploit this issue to divert data from a
  legitimate database server or client to an attacker-specified system.
  Successful exploits will allow the attacker to manipulate database instances, potentially facilitating man-in-the-middle, sessionhijacking,
  or denial of service attacks on a legitimate database server.
  Solution:
  Apply the work-around in Oracle's advisory.
  Thank you for your help

  2835604 wrote:
  Hi, I don't know how to find a specific security patch to apply to my Oracle database version 11.2.0.2.0 (on windows server 2003 32 bits) to fix the following vulnerability:
  Risk: High
  Application: oracle_tnslsnr
  Port: 1521
  Protocol: tcp
  Synopsis:
  It is possible to register with a remote Oracle TNS listener.
  Description:
  The remote Oracle TNS listener allows service registration from a remote host. An attacker can exploit this issue to divert data from a
  legitimate database server or client to an attacker-specified system.
  Successful exploits will allow the attacker to manipulate database instances, potentially facilitating man-in-the-middle, sessionhijacking,
  or denial of service attacks on a legitimate database server.
  Solution:
  Apply the work-around in Oracle's advisory.
  Thank you for your help
  that sounds like the "tns poison" vulnerability.  CVE 2012-1675 - Oracle Security Alert CVE-2012-1675
  See MOS note 134083.1  and 1453883.1

• Tracking oracle database activities in security/system logs of windows server

  Can database activity like create or drop tables and packages be tracked in the security/system logs of windows 2003 server for the oracle database 10.2.0.4?
  Can purging of oracle log, n case the file has become big or even tempered be tracked in the security/system logs of windows 2003 server for the oracle database 10.2.0.4?
  dhomya

  Hi Dhomya,
  I am not familiar with Oracle database, though you may try to enable file system auditing:
  Audit object access
  https://technet.microsoft.com/en-us/library/cc776774(v=ws.10).aspx
  Apply or modify auditing policy settings for an object using Group Policy
  https://technet.microsoft.com/en-us/library/cc757864(v=ws.10).aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Enabling Oracle Label Security on 9.2.0.7 database

  Hi there,
  I have installed the option Oracle Label Security and patched it to 9.2.0.7. I have then run the script $ORAHOME\rdbms\admin\catols.sql . Which re-starts the database.
  But when I run the below example I get the below error.
  SQL> CONNECT lbacsys/lbacsys
  Connected.
  SQL> EXECUTE SA_SYSDBA.CREATE_POLICY( -
  'FACILITY','FACLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
  BEGIN SA_SYSDBA.CREATE_POLICY( 'FACILITY','FACLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE'); END;
  ERROR at line 1:
  ORA-00439: feature not enabled: Oracle Label Security
  ORA-06512: at "LBACSYS.LBAC_SYSDBA", line 107
  ORA-06512: at "LBACSYS.SA_SYSDBA", line 43
  ORA-06512: at line 1
  I have also noticed that in the v$option view shows the
  PARAMETER VALUE
  Oracle Label Security FALSE
  I have compared the number of objects to metalink article 171155.1 How to Install / Deinstall Oracle Label Security and all the objects seem to be in the schema.
  Also I check the version and saw below.
  SQL> conn dba/
  Connected.
  SQL> COL comp_name FORMAT A32
  SQL> COL version FORMAT A16
  SQL> SELECT
  2 comp_id
  3 ,comp_name
  4 ,version
  5 FROM dba_registry
  6 where comp_id='OLS';
  COMP_ID COMP_NAME VERSION
  OLS Oracle Label Security 9.2.0.7.0
  1 rows selected.
  SQL>
  Anyone know how I can enable Oracle Label Security is that it works?
  TIA
  Ed

  I still have some old 9.2.0.8 databases running on both HP-UX and AIX and have clients on 10.2g which doesn't manifest any problem .

• How to secure oracle database

  how to secure oracle database,
  I am having the oracle database which will be packed as package in a machine and will be delivered to client place , need to ensure that the client will not access the database by any means.
  Even he breaks the password (he should not break but despite client has broken the password) and went inside the database, he should not be able to see the databases Procedures ,views,functions and triggers.
  Can we Encrypt this,if so can client will be able to decrypt the same?
  Is there a way to secure the database from the client not to access the database.
  Thanks!

  933663 wrote:
  so how can i secure when there is an option to unwrap ,then there is no use in using the wrap right?Yes, because when there is a lock there is a key, when there is wrap there is unwrap, when there is encrypt there is decrypt. We can not be rest assure for hack the code. I think you should think and explore above security options which are provided by Oracle itself which have lock and key by Oracle itself; which i have mentioned in my previous post.
  You just think that if that is that much easy and cheap, then why Oracle have developed above options/features by expending many dollors..!!!
  Regards
  Girish Sharma

• Apply Latest Security Patches on Oracle Database 10g Express Edition (XE) ?

  Hi !
  I have an Oracle Database 10g Express Edition (XE) version 10.2.0.1.0 running on a Microsoft Windows 2003 SP2 server.
  I need to find and install the latest security patches on this database.
  Can someone inform me where I can find these patches and the steps for installing these patches?
  Thanks,
  Kind Regards,
  Shailesh

  Hi,
  Welcome 2 oracle forums :)
  Can someone inform me where I can find these patches and the steps for installing these patches?U can find all the latest security and all available patches on https://support.oracle.com/CSP/ --> Patches and updates tab
  Regards,
  X A H E E R

• 1z0-528 (Oracle Database 11g Security Essentials)

  Hi,
  I'm preparing 1z0-528 (Oracle Database 11g Security Essentials) exam. Could anyone recommend some useful books or reading material (except Oracle courses and 11.2 Documentation)?
  Also, If someone has taken 1z0-528, I'm interested how difficult the exam was?
  Thanks,

  Hi;
  All oracle are not easy,so you need to study hardly all course and other pdf and should study hard for exam. I suggest check below link:
  Oracle Database 11g Security Essentials - Training Resources By Exam Topics
  http://www.oracle.com/partners/en/knowledge-zone/database/oracle-database-11g/1z1-528-resources-170324.html
  Oracle Database 11g Security Essentials<< prepration part
  http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=41&p_org_id=9&lang=CS&p_exam_id=1Z0_528
  Regard
  Helios

• Security vulnerabilities in apache that comes with oracle database.

  Hi,
  We are having a QA database in Oracle enterprise version 9.2.0.4 on OS : OSF1.
  Recently our security team ran a test and found that the apache1.3 that comes as component of Oracle database is prone to security vulnerabilities. Also they suggested to remove the apache or upgrade to latest as remedy.
  When contacted to Oracle support, Oracle team replied apache upgrade should not be done instead latest apache seprately can be installed as reverse proxy. But when asked for steps/document there is no reply. Anyone faced this problem can provide any help/suggestion in this regard.
  I am attaching some of the threads identified by our Security Team for reference.
  1. Apache 1.3 HTTP Server Expect Header Cross-Site Scripting XXXX and YYYYYY ports 7782, 4889, 3339.
  2. Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
  3. Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=iso-8859-1
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML><HEAD>
  <TITLE>417 Expectation Failed</TITLE>
  </HEAD><BODY>
  <H1>Expectation Failed</H1>
  The expectation given in the Expect request-header
  field could not be met by this server.<P>
  The client sent<PRE>
  Expect: <script>alert(document.domain)</script>
  </PRE>
  but we only allow the 100-continue expectation.
  -CR

  I dont know how to find which components are using the apache. Help me if there is any way to find it. Only information i can say you is there is no other software installed that in that server other than oracle Database.

• Can an Oracle database be made 100% Secured ?

  Hi,
  How can an Oracle database be 100% secured in terms of security?
  Comments.
  Adith

  First of all what does 100% secure means? Secure Oracle, it's just one level of security. You may have the best trusted Oracle database environment, but what happens if the URL that access the application server shows unencrypted passwords? Or this site uses http instead of https?
  You may have an oracle secured environment, and leave the site door open and let the operator use an OS authentication to gain access as SYSDBA, nobody is going to say no to this situation.
  What would happen with a recyclable backup tape that is sotelen by someone, and used to recreate the database somewhere else?
  So 100% securing database must be further clarified and detailed, otherwise it will be just a Maginot Line (http://en.wikipedia.org/wiki/Maginot_Line).
  Regards.

• Network security with Oracle Database Cloud Service

  Does the Oracle Database Cloud service support SSL? Or, any form of network encryption/authentication between a client and the service across the Internet?

  Thank you Rick. I'm intending to use Oracle Database Cloud Service as a "Database-as-a-Service", however I have read that it is actually more of a "Platform-as-a-Service" offering.
  What I would like to do is to interact with the Oracle Database Cloud Service via a local JDBC client. However, from further reading, it looks like the only way to interact with the Oracle Database Cloud Service from a non-Oracle-cloud-based client is via its RESTful web services (which, as you said, support SSL).
  That is to say, I cannot simply connect to the Oracle Database Cloud Service from a local client just through JDBC alone. It looks like I would have to configure my client to make the relevant RESTful web service calls instead, and likewise configure my settings on the Oracle Database Cloud Service to make the necessary translations (from REST to SQL).
  Just to finally clarify, is my above understanding correct?