PKCS#11 HSM support for Transparent Data Encryption
Hi,
I'm trying to get a PKCS#11 HSM working with TDE with little luck.
I have installed Oracle 11gR1 (recent release version) on a Linux VM running Red Hat Application Server 4. The sqlnet.ora file contains
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
and the PKCS#11 implementation dll exists at
/opt/oracle/extapi/32/hsm/RSA/1.8.0/libp11s.so
as per the documentation.
In sqlplus, after starting the DB, I issue the command
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "user:1234";
but this fails with
ERROR at line 1: ORA-28353: failed to open wallet.
and it appears the PKCS#11 dll is never even loaded.
TDE works fine when I use a local wallet (P12)
Is there anything else I need to do to get a PKCS#11 HSM to be used to store the TDE master key? Also, why does a username have to be specified, when PKCS#11 only requires a slot number and PIN. How does oracle know which PKCS#11 driver to load if there are multiple under /opt/oracle/extapi/32/hsm/... ?
Thanks very much,
Owen Roberts
Thanks.
for the sake of the record I fixed this by specifying a METHOD_DATA and DIRECTORY in sqlnet.ora like in
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=HSM)(METHOD_DATA=
(DIRECTORY=/app/oracle/admin/SID1/wallet)))
where the directory exists, as opposed to just
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
as it says in the doco...
I have a new issue, which I'll start a new thread for.
Similar Messages
-
Transparent Data Encryption Configuration
Hi,
I want to configure Transparent Data Encryption on a Database which is protected with Database Vault.
Is there any document which talks about the integration of Database Vault with Transparent Data Encryption.
I want to create a common security administrator user (other than sys/system users) for Transparent Data Encryption configuration.
If i create a new administrator from Enterprise Manager console i am getting the following error:
SQL Error ORA-47401: Realm violation for grant system privilege on SELECT ANY DICTIONARY. ORA-06512: at "SYSMAN.MGMT_USER", line 9316 ORA-06512
How to avoid this error.
Any pointers on this is appreciated.
Thanks & regards,
SrikanthTurning off DBVault is not needed to turn on TDE ... the DB user who wants to manage the DB through Enterprise Manager, needs to have the SELECT ANY DICTIONARY privilege (I think I remember this is done by logging into EM (not DVA) as DBV_OWNER, or DV_ACCT_MNGR if you have configured one).
If then the creation of the wallet fails, make the user an OWNER of the DATA DICTIONARY realm in DBVault. Note that the directory that you plan to use to store the wallet needs to exist before you create the wallet and master key for TDE.
Peter
Edited by: Peter Wahl on 03.07.2010 02:20 -
Does oracle 10.1 support transparent data encryption?
hi,
does oracle Release 10.1.0.3.0 support transparent data encryption?
if not, what can i use instead?
thanksAccording to http://download-uk.oracle.com/docs/cd/B14117_01/network.101/b10772/asoconfg.htm ,
data encryption is supported for Oracle Net services in release 10.1. -
Listener Start Problem with TDE (Transparent Data Encryption)
i am testing Transparent Data Encryption in Oracle 10g by using the following link
http://oracle-base.com/articles/10g/TransparentDataEncryption_10gR2.php
Before Implementing the TDE listener was running fine but after implementation of TDE the listener was unable to start
Please check the steps which i follow
Step1-
specify the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file, now SQLNET.ora file looks like the following
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=D:\oracle\product\10.2.0\wallet\)))
please check the contents of listener.ora file,i didn't make any configuration changes for listener before or after implementation of TDE
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = D:\oracle\product\10.2.0\db_1)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = shakeel-pc.lhr.inov8.com.pk)(PORT = 1521))
Step2-
CONN sys/password AS SYSDBA
ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "myPassword";
TDE implemented successfuly implemented.
But when i try to stop/start listener
C:\>lsnrctl status
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:30
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
Start Date 05-JUN-2008 22:40:14
Uptime 0 days 7 hr. 4 min. 16 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File D:\oracle\product\10.2.0\db_1\network\admin\listener.o
ra
Listener Log File D:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=shakeel-pc.lhr.inov8.com.pk)(PORT=15
21)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orcl_XPT" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
C:\>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:35
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
The command completed successfully
C:\>lsnrctl start
[i]LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:40
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting tnslsnr: please wait...
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
System parameter file is D:\oracle\product\10.2.0\db_1\network\admin\listener.or
a
Log messages written to D:\oracle\product\10.2.0\db_1\network\log\listener.log
Error listening on: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PARTIAL=yes)(QUEUESI
ZE=1))
No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\E
XTPROC1ipc)))
TNS-12560: TNS:protocol adapter error
TNS-00583: Valid node checking: unable to parse configuration parameters
Listener failed to start. See the error message(s) above...
To start the listener i have to close wallet as
1- SQL>conn sys as sysdba
ALTER SYSTEM SET WALLET CLOSE;
2- Replace the SQLNET.ora file as previous ,now SQLNET.ora contains
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
Now if i start the listener then the listener was started succesfuly
Please suggest why listener is not being start with TDE?I have the same problem. I'm testing TDE using Oracle 11gR1. After setting the parameter encryption_wallet_location and restart the listener, the listener failed to start. The error is exactly the same
TNS-12560: TNS:protocol adapter error
TNS-00583: Valid node checking: unable to parse configuration parameters
By removing the parameter encryption_wallet_location, the listner can be started successfully.
Anyone can help? -
I understand that the implementation of just about any database encryption solution, is going to result in a some degree of a performance hit, especially as searches are performed against the database, but none-the-less, we are thinking about implementing the Oracle TDE solution and as recommended, just isolating encryption needs to ONLY necessary columns of data - in our case, columns pertaining to private ASNWER (results) data and/or PII (Pers. Ident. Info.). This being said, is anyone else doing something similar with TDE, or does anyone have any pointers up front on what to look out for, what to expect, and how they are operating with TDE. (Just reaching out for some thoughts, insight, comments, and/or warnings)... Thank you very much. - Jason
Yes, we have many customers using it, please check my updated TDE best practices paper; it has lots of hints and tricks and things to look out for:
Available from http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html (scroll down, please).
Thanks, Peter -
Transparent Data Encryption clarification
Hello All,
{color:#993300}http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html#A12010
Does the database memory (SGA) contain clear-text or encrypted data?
With column-level TDE, encrypted data remains
encrypted inside the SGA, but with tablespace encryption, data is
already decrypted in the SGA.{color}
my doubt here is,
1. when a select query issued when and where the decryption takes place before the data comes to SGA?
2. Is there any tool to dump the duffer cache in SGA to find whether data is encrypted or not?
Plz do help me
Thanks in advanceAFAIK, TDE is for encrypting data on disk (so database cant be stolen), not for encryting data in the tables (may be wrong there)
dbms_obfuscation is deprecated in 10g, so used dbms_crypto instead - its much better -
SQL Server Transparent Data encryption
I have implemented TDE for the Database and Column Level Encryption for Sensitive data in Tables. But, the Porblem is the data is entered through an front end application how could i encrypt this data when it is inserted from the Front end. And how to decry-pt
this data for the users when it is selected.
Your suggestions are most valuable.
Reagrds
Rehaan Khan
RehaanKhan. MLet me start with a solution that may have been overlooked, but it is good to make sure we cover it. Have you considered using column-level permissions? It may not be a complete solution for your particular scenario if you need to give access to the column
for other reasons (after all, the group you are trying to restrict is probably developing applications on top of the column storing sensitive data) or if the developer group has permission to create objects that would render the sensitive data subject to ownership
chains. For more information on column-permissions look at
http://msdn.microsoft.com/en-us/library/ms186915.aspx
Assuming permissions alone will not solve the problem. By using encryption you should be able to limit access to the sensitive data to the developers, but it will also require some changes to your schema & application. TDE (Transparent Data Encryption)
will not help you in this scenario since you need to restrict access to the data and restricting access to the column is not sufficient.
The following links may be useful to get you started with SQL Encryption capabilities:
SQL Server Encryption (http://msdn.microsoft.com/en-us/library/bb510663.aspx)
Data Encryption in SQL Server (http://msdn.microsoft.com/en-us/library/bb669072(v=vs.110).aspx)
Encrypt a Column of data (http://msdn.microsoft.com/en-us/library/ms179331.aspx)
Cryptographic Functions (T-SQL) (http://msdn.microsoft.com/en-us/library/ms173744.aspx)
Older articles, but they may still be quite useful:
Indexing encrypted Data (http://blogs.msdn.com/b/raulga/archive/2006/03/11/549754.aspx)
SQL Server 2005: searching encrypted data (http://blogs.msdn.com/b/lcris/archive/2005/12/22/506931.aspx)
One recommendation may be to encrypt the data using an AES key, and protect the key using one or more certificates (I would recommend using a separate certificate per individual if possible), making sure that only authorized people have access to the keys.
Anyone else with access to the column, but not to the keys would not be able to decrypt the data.
BTW. I would also recommend using SQL Auditing (http://msdn.microsoft.com/en-us/library/cc280386.aspx) in order to keep honest people honest, by monitoring access to the keys & to the
sensitive data.
I hope this information helps,
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights. -
Transparent Data Encryption vs. OS level encryption
Can someone help me by posting few URLs to read about Oracle's Transparent Data Encryption vs. OS Level Encryption (Win 2003 server)? We are trying to choose an option and go with it. I'm looking for a comparative analysis doc (Oracle 10.2.0.2 on MS Win 2003 Server), or if you can give me pros and cons for each of those options.
Many thanks in advance,
Dejanhttp://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html
-
Transparency Data Encryption V.S. DBMS_CRYPTO
Which provides more security between Transparency Data Encryption V.S. DBMS_CRYPTO?
The security protection is, for all essential purposes, identical.
TDE automates encryption at the column level (10g) and dbms_crypto is used by PL/SQL. -
No Oracle SSO support for POSTing data to protected resource [yet]
Hi,
I am using OHS infront of JBOSS and redirecting all requests from OHS to JBOSS after SSO Authentication.
Everything works fine except that I get 500 error when I try to post data from HTML form.
When i click on a button on a JSP page that submits page with the Form Post, the request goes to the OHS and is not getting forwarded.
OHS log shows the following
127.0.0.1 - - [11/Sep/2007:08:57:23 -0400] "POST /Sample/protected/standard.do HTTP/1.1" 500 788
Proxy_error.log shows the followin error
[Tue Sep 11 08:57:23 2007] [error] [client 127.0.0.1] [ecid: 1189515443:10.6.2.137:268:5568:74,0] \n[OSSO] E09: No Oracle SSO support for POSTing data to protected resource [yet].\n
Any idea?
Thanks
Srikar.This error does no occur in our dev or test environments, only production. A workaround for us was to disable SSO by commenting the line to load it in the file $ORACLE_HOME/Apache/Apache/conf/httpd.conf. The line to comment out looks like: include "/u01/app/oracle/product/mid/Apache/Apache/conf/mod_osso.conf" where the /u01/app... above is the expansion of $ORACLE_HOME/Apache/Apache/conf/mod_osso.conf.
We do not use SSO for our application, so this is not a problem. I next plan to try to figure out why this behaves like this, so I can keep all the server configurations consistent.
HTH,
Mark -
OWB Support for Change Data Capture
Hi All,
Has anyone got OWB working with the Change Data Capture feature in the Oracle 9i database? I understand that CDC works by publishing changes through an advanced queue, which in theory OWB 9.0.4 upwards can have as a data source, but there doesn't appear to be any explicit support within the GUI for capturing CDC changes.
I'm also working on the assumption that we're talking about Synchronous CDC as found in 9i. 10g comes with Asynchronous CDC which I guess presents a different interface to the receiving program.
So - is there any support for 9i Change Data Capture in OWB, and has anyone got this to work in practice?
thanks
MarkMark,
There is currently no explicit support for the 9i CDC. You can use Advanced Queues to propagate the changes, but you will have to custom-build the capture infrastructure on the source side (set up the CDC, enqueue the changes in the appropriate form into the AQ etc.)
OWB will explicitly support CDC (10g async, which is the least invasinve method) in our next major release currently scheduled to be release in November of this year.
Regards:
Igor -
Is there support for a data center Multi-Master using SunONE "Bandwidth Manager" over a WAN ?
I'm not sure what you mean by "data center M-M". There is currently only support for 2 masters. Do you mean
"Is there support for having a managed WAN connection between the two masters?"
This scenario has been tested, but I don't know if it is fully supported by iPlanet. In other words, it should work, but probably not as well as two masters sitting next to each other in a data center, which is the recommended deployment strategy. -
WS-4500X-32 Support for TrustSec MACsec Encryption
Hello all,
Does anyone know when will the WS-4500X-32 support the TrustSec MACsec Encryption ?
Thanks!
DavidHi,
MACSec support on the Catalyst 4500X as from IOS XE 3.5.0. As per the New Software Features in Release IOS XE 3.5.0E section of the release notes:
MACSec Encryption on Cisco Catalyst 4500-X
IEEE 802.1ae MACSec Layer 2 encryption
IEEE 802.1ae MACSec encryption on user-facing ports
IEEE 802.1ae MACSec encryption between switch-to-switch links using Cisco Security Association Protocol (SAP)
Regards -
Copy/Paste Image from Clipboard - still no support for transparency?
I just tried to load an Image from the Clipboard by using DataFlavor.imageFlavor. Everything works well if the clipboard-image doesn´t use any transparency. When loading an image with alpha-channel (png or gif), the transparency occurs as black pixels. Here is the code snippet:
Clipboard clip = Toolkit.getDefaultToolkit().getSystemClipboard();;
Transferable t = clip.getContents(null);
BufferedImage img = (BufferedImage) t.getTransferData(DataFlavor.imageFlavor);img.getType allways returns TYPE_INT_RGB, even if the image contains alpha-data.
According to this Bug-Report
[http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4720930]
this should have bin fixed in 1.4.2, if i´m not wrong?
Can anyone confirm this problem, and is there any workaround? The one described in the bug-report doesn´t work for me, since clipboard-images in my case don´t match DataFlavor.javaFileListFlavor.The best is to try it yourself I guess.
Go to Github and try pasting an image into the compose editor.
The editor definitely supports image pastings. They work directly in Chrome(ium).
Thus I am wondering why Firefox does not support direct pasting from clipboard into the editor.
See the attached screenshot regarding the editor I am talking about. -
Support for xs:date types in web services generated from EJB components
I need to generate a Web Service from an EJB session bean based upon EJB entities generated from the Oracle 11g database that contain DATE type columns.
JDeveloper creates java.sql.Timestamp types in the EJB Session bean and this results in an exception error when I try to generate a web service from this bean via webservice annotations:
java.security.PrivilegedActionException: com.sun.xml.bind.v2.runtime.IllegalAnnotationsException: 1 counts of IllegalAnnotationExceptions
java.sql.Timestamp does not have a no-arg default constructor
I expected the web service wizard to generate argument types xs:dateTime or xs:date so this was an unwelcomed surprise.
I tried manually adding a method to the session bean with java.util.date arguments and had no problems with the web service wizard that correctly created xs:dateTime arguments. Is there any particular reason why the EJB wizard does not generate java.util.date arguments or handle java.sql.Timestamp without failing with an exception?
Since I begin with database tables and generate EJB entity classes and then web services with the Jdeveloper wizards it seems to me that there is a problem here in JDeveloper. Would you agree?
There are several possible more or less appealing workarounds, such as doing manually adding methods to the EJB facade with java.util.date arguments and doing the conversion from/to java.sql.timestamp manually. Is this a reasonable approach or does JDeveloper support date/time for Date columns in some other way that I have missed?
Very Grateful for any comments or suggestions.
Edited by: user10601664 on May 2, 2009 1:14 PM
Edited by: user10601664 on May 2, 2009 1:43 PMCheckout this example:
http://www.manojc.com/?sample3
public class HelloWorldService{
* @wlws:exclude
public void dontExpose(){
Regards,
-manoj
http://manojc.com
"Jacob Anderson" <[email protected]> wrote in message
news:4036581e$[email protected]..
>
hello,
I created the descriptor file for a web service that had a protectedmethod in
it and noticed the protected method showed up in the descriptor file!Should
the "source2wsdd" task only output PUBLIC methods as service actions? Isthere
any way to specify methods to be 'ignored' when generating the webservices descriptor
file?
here was the generated descriptor XML:
<web-service name="BindingService"
protocol="https"
style="document"
targetNamespace="http://www.foo.com/ws/BindingService/"
portName="BindingServicePort"
uri="/BindingService"
portTypeName="BindingServicePort">
<types>
</types>
<wsdd:type-mappingxmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsdd="http://www.bea.com/servers/wls70">
<wsdd:type-mapping-entrydeserializer="weblogic.xml.schema.binding.internal.builtin.DocumentCodec"
type="xsd:anyType"
class-name="org.w3c.dom.Document"
serializer="weblogic.xml.schema.binding.internal.builtin.DocumentCodec">
</wsdd:type-mapping-entry>
</wsdd:type-mapping>
<components>
<java-class name="BindingService"
class-name="com.arrow.ws.vendor.BindingService">
</java-class>
</components>
<operations>
<operation name="getConfigName"
component="BindingService"
method="getConfigName()">
<params>
<return-param xmlns:typeNS="http://www.w3.org/2001/XMLSchema"
location="body"
type="typeNS:string"
name="result"
class-name="java.lang.String">
</return-param>
</params>
</operation>
</operations>
</web-service>
Maybe you are looking for
-
Storing SessionManager or Server for multiple web applications
We currently have one enterprise application with 2 web applications installed. These 2 web applications must share the same session cache. Toplink is installed as a shared library for both of these web applications. What I am wondering is how Server
-
I have Adbobe Photoshop 10 on my MacBook pro but when using it cannot get an O with Umlauts, which are easily done outside Adobe. I feel sure that it must be possible, but nothing I have tried has succeeded. Can anyone help?
-
I am exploring the wonderful world of RAW photography processing. I have come across an issue that I cannot find an answer to. After doing all the image adjustments, how do I save it as a jpg file? The only option I see is to save it as a dng file or
-
Force new window to open in new tab
Now my safari open pages from the original pages to the new pages, I tried to set Safari to open pages in new tabs. I tried Safari ▹ Preferences ▹ Tabs ▹ Open pages in tabs instead of windows: Automatically or Never or Always, but it still opened the
-
Controlling Solenoid Valves for a water level application with LabVIEW:
Hello, I am trying to control the water level in a tank using solenoid valves with LabVIEW. I have an ultrasonic sensor that is going to measure the water level in the tank, I have the working VI (attached) for how the sensor measures the water level