TDE in XE
When i try to encrypt the columns, I get this:
An error was encountered performing the requested operation:
ORA-00439: feature not enabled: Transparent Data Encryption
00439. 00000 - "feature not enabled: %s"
*Cause: The specified feature is not enabled.
*Action: Do not attempt to use this feature.
Vendor code 439
How to enable TDE in Oracle XE 11g R2? What does exactly mean Encryption Toolkit in Oracle XE?
I am a newbie in Oracle so any advice and help would be appreciated.
Pl post details of what you are trying to achieve and the commands used to encrypt the columns.
TDE requires the Advanced Security Option, which is only available on the Enterprise Edition of the database
See the Database Concepts Guide, Chapter 17 and
Oracle Database Editions
HTH
Srini
Similar Messages
-
Logical Database:: TDE implementation in Logical
Hi, I have to implement TDE in production database and have to make sure Logical doesnt break up.
I implemented TDE in my test databases( both Trans and Logical) and saw new records are not getting applied in Logical database.
I have created wallet in both database and also apply process running fine. I dont see any error as well.
Do you guys have any input ?? ThanksI see a message in event log.
ORA-16233: The table PRADEEP.TEST_ABC is unsupported now
16-AUG-2010 12:31:29 16-AUG-10 12.31.28.550366 2548880 2548883 4 12 1057
ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY ********** 16226 -
TDE Wallets & Multiple Databases on same Host
The Oracle TDE Best Practices (doc ID 130696) states this:
Multiple databases on the same host
If there are multiple Oracle Databases installed on the same server, they
must access their own individual TDE wallet. Sharing the same wallet between independent instances is not supported
and can potentially lead to the loss of encrypted data.
If the databases share the same ORACLE_HOME, they also share the same
sqlnet.ora file in $TNS_ADMIN . In order to access their individual wallet, the
DIRECTORY entry for the ENCRYPTION_WALLET_LOCATION
needs to point each database to its own wallet location:
DIRECTORY= /etc/ORACLE/WALLETS/$ORACLE_UNQNAME
The names of the subdirectories under /etc/ORACLE/WALLETS/ reflect
the ORACLE_UNQNAME names of the individual databases.
If the databases do not share the same ORACLE_HOME, they will also have their individual sqlnet.ora
files that have to point to the individual subdirectories.
What is the correct sqlnet.ora syntax to do this? I currently have what is below but it doesn't seem to be correct:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /local/oracle/admin/wallet/DB#1)
(DIRECTORY = /local/oracle/admin/wallet/DB#2)Hi,
You can check this :Setting ENCRYPTION_WALLET_LOCATION For Wallets Of Multiple Instances Sharing The Same Oracle Home (Doc ID 1504783.1)
i haven't done this for multiple database, but as per Doc you can use the syntex like
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /local/oracle/admin/wallet/$ORACLE_UNQNAME)
Whenever you set the Environmnet with
export $ORACLE_UNQNAME=DB#1
it will choose the file from respective directory like /local/oracle/admin/wallet/DB#1
HTH -
Oracle TDE - Can multiple databases use the same Oracle wallet?
Oracle Advanced Security Transparent Data Encryption
I will have 2 or more databases running under the same Oracle 11.2 home. According to Oracle's documentation, it is preferred to reference the wallet via the sqlnet.ora file. That's fine. My question is if I want to use encryption in each of those databases, then I have no choice but to use the shared wallet then, correct.
I need to confirm that I have not missed something.
From Oracle's documentation:
Specifying a Wallet Location for Transparent Data Encryption
If you wish to use a wallet specifically for TDE, then you must specify a wallet location in the sqlnet.ora file by using the ENCRYPTION_WALLET_LOCATION parameter.
Oracle recommends that you use the ENCRYPTION_WALLET_LOCATION parameter to specify a wallet location for TDE.
http://docs.oracle.com/cd/E18283_01/network.112/e10746/asoappa.htm#i634447
Oracle Advanced Security Transparent Data Encryption
ENCRYPTION_WALLET_LOCATION = (SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/etc/ORACLE/WALLETS/oracle)))
thanks!Do not do this, follow this http://www.youtube.com/watch?v=Z9odSZxdoGU instead!
Best, Peter -
Listener Start Problem with TDE (Transparent Data Encryption)
i am testing Transparent Data Encryption in Oracle 10g by using the following link
http://oracle-base.com/articles/10g/TransparentDataEncryption_10gR2.php
Before Implementing the TDE listener was running fine but after implementation of TDE the listener was unable to start
Please check the steps which i follow
Step1-
specify the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file, now SQLNET.ora file looks like the following
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=D:\oracle\product\10.2.0\wallet\)))
please check the contents of listener.ora file,i didn't make any configuration changes for listener before or after implementation of TDE
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = D:\oracle\product\10.2.0\db_1)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = shakeel-pc.lhr.inov8.com.pk)(PORT = 1521))
Step2-
CONN sys/password AS SYSDBA
ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "myPassword";
TDE implemented successfuly implemented.
But when i try to stop/start listener
C:\>lsnrctl status
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:30
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
Start Date 05-JUN-2008 22:40:14
Uptime 0 days 7 hr. 4 min. 16 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File D:\oracle\product\10.2.0\db_1\network\admin\listener.o
ra
Listener Log File D:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=shakeel-pc.lhr.inov8.com.pk)(PORT=15
21)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orcl_XPT" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
C:\>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:35
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
The command completed successfully
C:\>lsnrctl start
[i]LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 06-JUN-2008 05:44
:40
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting tnslsnr: please wait...
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
System parameter file is D:\oracle\product\10.2.0\db_1\network\admin\listener.or
a
Log messages written to D:\oracle\product\10.2.0\db_1\network\log\listener.log
Error listening on: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PARTIAL=yes)(QUEUESI
ZE=1))
No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\E
XTPROC1ipc)))
TNS-12560: TNS:protocol adapter error
TNS-00583: Valid node checking: unable to parse configuration parameters
Listener failed to start. See the error message(s) above...
To start the listener i have to close wallet as
1- SQL>conn sys as sysdba
ALTER SYSTEM SET WALLET CLOSE;
2- Replace the SQLNET.ora file as previous ,now SQLNET.ora contains
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
Now if i start the listener then the listener was started succesfuly
Please suggest why listener is not being start with TDE?I have the same problem. I'm testing TDE using Oracle 11gR1. After setting the parameter encryption_wallet_location and restart the listener, the listener failed to start. The error is exactly the same
TNS-12560: TNS:protocol adapter error
TNS-00583: Valid node checking: unable to parse configuration parameters
By removing the parameter encryption_wallet_location, the listner can be started successfully.
Anyone can help? -
SQL Server TDE stuck encryption state 4
I'm trying to create a robust script that runs backups, backs up current certificate, creates a new certificate, backs up new certificate and regenerates database encryption keys with the new certificate. Obviously to do all this you're talking about a pretty
complicated script! i've tried to make it as robust as possible, however when running the script the databases have gotten stuck in encryption state 4. (this has happened before which is why i'm testing this to destruction.) now before i delete and recreate
these databases is there any way to force them out of state 4? It will not allow you to turn encryption off you get the following error : Cannot disable database encryption while an encryption, decryption, or key change scan is in progress.
I'm not sure what happened to get them into this state but want to prevent it at all costs.
Please see my script. You should be able to test this easily by creating a couple db's.
Any improvements would be greatly appreciated, and this will be extremely useful to anyone in a TDE environment.
*** UPDATED ***
USE master
DECLARE @Name NVARCHAR(50) , -- Database Name
@Path NVARCHAR(100) , -- Path for backup files
@FileName NVARCHAR(256) , -- Filename for backup
@FileDate NVARCHAR(20) , -- Used for file name
@BackupSetName NVARCHAR(50) ,
@SQLScript NVARCHAR(MAX) ,
@Live AS NCHAR(3) = 'No'
-- *** MAKE SURE YOU CHECK THIS BEFORE RUNNING ***
-- specify database backup directory
SET @Path = 'E:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup\'
-- specify filename format
SET @FileDate = REPLACE(REPLACE(REPLACE(CONVERT(NVARCHAR(20), GETDATE(), 120),
IF CURSOR_STATUS('global', 'db_cursor') >= -1
DEALLOCATE db_cursor
DECLARE db_cursor CURSOR
FOR
SELECT Name
FROM sys.databases
WHERE Name NOT IN ( 'master', 'model', 'msdb', 'tempdb' )
AND is_encrypted = 1
OPEN db_cursor
FETCH NEXT FROM db_cursor INTO @Name
WHILE @@FETCH_STATUS = 0
BEGIN TRY
SET @FileName = @Path + @Name + '_' + @FileDate + '.bak'
SET @SQLScript = 'BACKUP DATABASE ' + @Name + ' TO DISK = '''
+ @FileName + ''' WITH NOFORMAT, INIT, SKIP, STATS = 10
RESTORE VERIFYONLY FROM DISK = ''' + @FileName + ''' BACKUP LOG '
+ @Name + ' TO DISK = ''' + @Path + @Name + '_log.ldf'''
PRINT '*** STEP ONE Backing up Databases ***'
PRINT @SQLScript
IF @Live = 'Yes'
EXEC (@SQLScript)
FETCH NEXT FROM db_cursor INTO @Name
END TRY
BEGIN CATCH
PRINT 'Error Completing Backups'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
CLOSE db_cursor
DEALLOCATE db_cursor
-- Get current certificate statuses
SELECT DB_NAME(database_id) AS DatabaseName ,
Name AS CertificateName ,
CASE encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc ,
create_date ,
regenerate_date ,
modify_date ,
set_date ,
opened_date ,
key_algorithm ,
key_length ,
encryptor_thumbprint ,
percent_complete ,
certificate_id ,
principal_id ,
pvt_key_encryption_type ,
pvt_key_encryption_type_desc ,
issuer_name ,
cert_serial_number ,
subject ,
expiry_date ,
start_date ,
thumbprint ,
pvt_key_last_backup_date
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
-- TDE cannot be started while backup is running
WHILE EXISTS ( SELECT *
FROM master.dbo.sysprocesses
WHERE dbid IN ( DB_ID('*** DATABASE ***') )
AND cmd LIKE 'BACKUP%' )
BEGIN
PRINT 'Waiting for backups to complete'
WAITFOR DELAY '00:01:00'
END
--Code for backing up certificate and generating new certificate
DECLARE @CurrentCertificateName AS NVARCHAR(100) ,
@CertificateBackupFile AS NVARCHAR(256) ,
@KeyBackup AS NVARCHAR(256) ,
@KeyStore AS NVARCHAR(256) = 'E:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Key Backup\' ,
@SecurePass AS NVARCHAR(50) = '*** Password ***'
-- Get current certificate name
SELECT @CurrentCertificateName = c.name
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
WHERE DB_NAME(e.database_id) = @Name
-- backup the current certificate
SET @CertificateBackupFile = @KeyStore + @CurrentCertificateName + '.cer'
SET @KeyBackup = @KeyStore + @CurrentCertificateName + '.pvk'
SET @SQLScript = 'BACKUP CERTIFICATE ' + @CurrentCertificateName
+ +' TO FILE = ''' + @CertificateBackupFile + ''' WITH PRIVATE KEY'
+ ' (FILE = ''' + @KeyBackup + ''',' + ' ENCRYPTION BY PASSWORD = '''
+ @SecurePass + ''')'
PRINT '*** STEP TWO Backing up current certificate: ' + @SQLScript + ' ***'
IF @Live = 'Yes'
BEGIN TRY
EXEC ( @SQLScript )
END TRY
BEGIN CATCH
PRINT 'Could not back up existing Certificate. Job Cancelled'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
-- Generate the new certificate.
DECLARE @Now AS NVARCHAR(12) = REPLACE(REPLACE(REPLACE(CONVERT(NVARCHAR(20), GETDATE(), 120),
DECLARE @NewCertificateName AS NVARCHAR(50) = 'PCI_Compliance_Certificate_'
+ @Now
-- Manually set certificate name
--SELECT @NewCertificateName = 'PCI_Compliance_Certificate_201312231546'
-- Generate a new certificate
DECLARE @NewCertificateDescription AS NVARCHAR(100) = 'PCI DSS Compliance Certificate for 2014'
SET @SQLScript = 'CREATE CERTIFICATE ' + @NewCertificateName
+ ' WITH SUBJECT = ''' + @NewCertificateDescription + ''''
PRINT '*** STEP THREE Creating New Certificate: ' + @SQLScript + ' ***'
IF @Live = 'Yes'
BEGIN TRY
EXEC ( @SQLScript
END TRY
BEGIN CATCH
PRINT 'Could not create the new Certificate. Job Cancelled'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
-- Back up the new certificate
SET @CertificateBackupFile = @KeyStore + @NewCertificateName + '.cer'
SET @KeyBackup = @KeyStore + @NewCertificateName + '.pvk'
SET @SQLScript = 'BACKUP CERTIFICATE ' + @NewCertificateName
+ +' TO FILE = ''' + @CertificateBackupFile + '''' + ' WITH PRIVATE KEY'
+ ' (FILE = ''' + @KeyBackup + ''',' + ' ENCRYPTION BY PASSWORD = '''
+ @SecurePass + ''')'
PRINT '*** STEP FOUR Backing up New Certificate: ' + @SQLScript + ' ***'
IF @Live = 'Yes'
BEGIN TRY
EXEC ( @SQLScript
END TRY
BEGIN CATCH
PRINT 'Error: Could not back up New Certificate.'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
--Encrypt database with new certificate
WHILE EXISTS ( SELECT *
FROM master.dbo.sysprocesses
WHERE dbid IN ( DB_ID('*** DATABASE ***') )
AND cmd LIKE 'BACKUP%' )
BEGIN
PRINT 'Waiting for backups to complete'
WAITFOR DELAY '00:01:00'
END
DECLARE db_cursor CURSOR
FOR
SELECT Name
FROM sys.databases
WHERE Name NOT IN ( 'master', 'model', 'msdb', 'tempdb' )
AND is_encrypted = 1
OPEN db_cursor
FETCH NEXT FROM db_cursor INTO @Name
WHILE @@FETCH_STATUS = 0
BEGIN TRY
SET @SQLScript = 'USE ' + @Name
+ ' ALTER DATABASE ENCRYPTION KEY REGENERATE WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE '
+ 'PCI_Compliance_Certificate_' + @Now
PRINT '*** STEP FIVE Encrypting Databases ***'
PRINT @SQLScript
IF @Live = 'Yes'
EXEC (@SQLScript)
FETCH NEXT FROM db_cursor INTO @Name
END TRY
BEGIN CATCH
PRINT 'Error Encrypting Databases'
SELECT ERROR_NUMBER() AS ErrorNumber ,
ERROR_SEVERITY() AS ErrorSeverity ,
ERROR_STATE() AS ErrorState ,
ERROR_PROCEDURE() AS ErrorProcedure ,
ERROR_LINE() AS ErrorLine ,
ERROR_MESSAGE() AS ErrorMessage;
RETURN
END CATCH
CLOSE db_cursor
DEALLOCATE db_cursor
-- Inspect the new state of the databases
SELECT DB_NAME(e.database_id) AS DatabaseName ,
e.database_id ,
e.encryption_state ,
CASE e.encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
END AS encryption_state_desc ,
c.name ,
e.percent_complete
FROM sys.dm_database_encryption_keys AS e
LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprintHello,
State 4 means (as you've noted in your script) that there is a key change in process. When a key change happens with TDE, all of the data must first be decrypted with the old keys and encrypted with the new keys which takes time. However long it takes to
decrypt and encrypt your entire database (depending on how many key changes there are in the hierarchy) is how long it will take.
There is also a very niche scenario where database corruption can cause issues with TDE while encrypting or decrypting. You could run a CHECKDB and validate this is not the case (you can also check suspect_pages at a quick glance).
Sean Gallardy | Blog |
Twitter -
TDE Issue with UPDATE/SELECT statement
We just implemented TDE on a table and now our import script is getting errors. The import script has not changed and has been running fine for over a year. The script failed right after applying TDE on the table.
Oracle 10g Release 2 on Solaris.
Here are the encrypted colums:
COLUMN_NAME ENCRYPTION_ALG SALT
PERSON_ID AES 192 bits key NO
PERSON_KEY AES 192 bits key NO
USERNAME AES 192 bits key NO
FIRST_NAME AES 192 bits key NO
MIDDLE_NAME AES 192 bits key NO
LAST_NAME AES 192 bits key NO
NICKNAME AES 192 bits key NO
EMAIL_ADDRESS AES 192 bits key NO
AKO_EMAIL AES 192 bits key NO
CREATION_DATE AES 192 bits key NO
Here is the UPDATE/SELECT statement that is failing:
UPDATE cslmo_framework.users a
SET ( person_id
, username
, first_name
, middle_name
, last_name
, suffix
, user_status_seq
= (
SELECT person_id
, username
, first_name
, middle_name
, last_name
, suffix
, user_status_seq
FROM cslmo.vw_import_employee i
WHERE i.person_key = a.person_key
WHERE EXISTS
SELECT 1
FROM cslmo.vw_import_employee i
WHERE i.person_key = a.person_key
AND ( NVL(a.person_id,0) <> NVL(i.person_id,0)
OR NVL(a.username,' ') <> NVL(i.username,' ')
OR NVL(a.first_name,' ') <> NVL(i.first_name,' ')
OR NVL(a.middle_name,' ') <> NVL(i.middle_name,' ')
OR NVL(a.last_name,' ') <> NVL(i.last_name,' ')
OR NVL(a.suffix,' ') <> NVL(i.suffix,' ')
OR NVL(a.user_status_seq,99) <> NVL(i.user_status_seq,99)
cslmo@awpswebj-dev> exec cslmo.pkg_acpers_import.p_users
Error importing USERS table.START p_users UPDATE
Error Message: ORA-01483: invalid length for DATE or NUMBER bind variableI rewrote the procedure using BULK COLLECT and a FORALL statement and that seems to work fine. Here is the new code:
declare
bulk_errors EXCEPTION ;
PRAGMA EXCEPTION_INIT(bulk_errors,-24381) ;
l_idx NUMBER ;
l_err_msg VARCHAR2(2000) ;
l_err_code NUMBER ;
l_update NUMBER := 0 ;
l_count NUMBER := 0 ;
TYPE person_key_tt
IS
TABLE OF cslmo_framework.users.person_key%TYPE
INDEX BY BINARY_INTEGER ;
arr_person_key person_key_tt ;
TYPE person_id_tt
IS
TABLE OF cslmo_framework.users.person_id%TYPE
INDEX BY BINARY_INTEGER ;
arr_person_id person_id_tt ;
TYPE username_tt
IS
TABLE OF cslmo_framework.users.username%TYPE
INDEX BY BINARY_INTEGER ;
arr_username username_tt ;
TYPE first_name_tt
IS
TABLE OF cslmo_framework.users.first_name%TYPE
INDEX BY BINARY_INTEGER ;
arr_first_name first_name_tt ;
TYPE middle_name_tt
IS
TABLE OF cslmo_framework.users.middle_name%TYPE
INDEX BY BINARY_INTEGER ;
arr_middle_name middle_name_tt ;
TYPE last_name_tt
IS
TABLE OF cslmo_framework.users.last_name%TYPE
INDEX BY BINARY_INTEGER ;
arr_last_name last_name_tt ;
TYPE suffix_tt
IS
TABLE OF cslmo_framework.users.suffix%TYPE
INDEX BY BINARY_INTEGER ;
arr_suffix suffix_tt ;
TYPE user_status_seq_tt
IS
TABLE OF cslmo_framework.users.user_status_seq%TYPE
INDEX BY BINARY_INTEGER ;
arr_user_status_seq user_status_seq_tt ;
CURSOR users_upd IS
SELECT i.person_key
,i.person_id
,i.username
,i.first_name
,i.middle_name
,i.last_name
,i.suffix
,i.user_status_seq
FROM cslmo.vw_import_employee i ,
cslmo_framework.users u
WHERE i.person_key = u.person_key ;
begin
OPEN users_upd ;
LOOP
FETCH users_upd
BULK
COLLECT
INTO arr_person_key
, arr_person_id
, arr_username
, arr_first_name
, arr_middle_name
, arr_last_name
, arr_suffix
, arr_user_status_seq
LIMIT 100 ;
FORALL idx IN 1 .. arr_person_key.COUNT
SAVE EXCEPTIONS
UPDATE cslmo_framework.users u
SET
person_id = arr_person_id(idx)
, username = arr_username(idx)
, first_name = arr_first_name(idx)
, middle_name = arr_middle_name(idx)
, last_name = arr_last_name(idx)
, suffix = arr_suffix(idx)
, user_status_seq = arr_user_status_seq(idx)
WHERE u.person_key = arr_person_key(idx)
AND
( NVL(u.person_id,0) != NVL(arr_person_id(idx),0)
OR
NVL(u.username,' ') != NVL(arr_username(idx),' ')
OR
NVL(u.first_name,' ') != NVL(arr_first_name(idx),' ')
OR
NVL(u.middle_name, ' ') != NVL(arr_middle_name(idx), ' ')
OR
NVL(u.last_name,' ') != NVL(arr_last_name(idx),' ')
OR
NVL(u.suffix,' ') != NVL(arr_suffix(idx),' ')
OR
NVL(u.user_status_seq,99) != NVL(arr_user_status_seq(idx),99)
l_count := arr_person_key.COUNT ;
l_update := l_update + l_count ;
EXIT WHEN users_upd%NOTFOUND ;
END LOOP ;
CLOSE users_upd ;
COMMIT ;
dbms_output.put_line('updated records: ' || l_update);
EXCEPTION
WHEN bulk_errors THEN
FOR i IN 1 .. sql%BULK_EXCEPTIONS.COUNT
LOOP
l_err_code := sql%BULK_EXCEPTIONS(i).error_code ;
l_err_msg := sqlerrm(-l_err_code) ;
l_idx := sql%BULK_EXCEPTIONS(i).error_index;
dbms_output.put_line('error code: ' || l_err_code);
dbms_output.put_line('error msg: ' || l_err_msg);
dbms_output.put_line('at index: ' || l_idx);
END LOOP ;
ROLLBACK;
RAISE;
end ;
cslmo@awpswebj-dev> @cslmo_users_update
updated records: 1274There are about 20 or so other procedure in the import script. I don't want to rewrite them.
Does anyone know why the UPDATE/SELECT is failing? I checked Metalink and could not find anything about this problem.This is now an Oracle bug, #9182070 on Metalink.
TDE (transparent data encryption) does not work when an update/select statement references a remote database. -
Can we create wallet at User Level to implement TDE in Oracle 10g
Hi
I am going to use a Oracle 10g TDE security feature for data security.I have gone through with lots document.Everywhere there is mention to open or close a Wallet at system level.I mean ALTER SYSTEM..that means except DBA no one can see the encrypted column.
But my requirement is bit different,I want to encrypt the column based on user.
lets take example- Suppose we have one table TEST with C1,C2,C3,C4,C5,C6 column and there is U1,U2,U3 user.I want to encrypt C1 and C3 for U1 , C2 and C5 for U2 , C4 and C6 for U3 and U1,U2 and U3 can see only all columns except encrypted column.
My question is Can we apply TDE at User level rather than system level.
Any ideas or thought would be appreciable.
Thanks in advance.
ANwarThe idea of TDE is to provide data protection on storage media, so when your backup tapes drop from the truck or the hard disk of a stolen laptop is sold online, encrypted data remains encrypted and can't be read by anyone.
It seems to me as if you try to achieve access control by encryption, which you don't need: If users have sufficient privileges or the business need to see data, then they should be granted access and see the data de-crypted. Otherwise, access control mechanisms (roles, views, VPD, OLS) should kick in and hide the rows from them.
So, for day-to-day business of your database, the wallet needs to be open, so that the database can de-crypt data for users who have been granted to see credit card numbers etc., but then limit access to credit card numbers they are not allowed to see with other measures. There is a little hands-on for TDE and VPD here:
http://www.oracle.com/technology/obe/10gr2_db_vmware/security/tde/tde.htm
Hope this helps,
Peter -
We are running oracle rac on 10.2.0.3 linux Itanium platform. I am setting up TDE for the first time and I setup my wallet location to be on an ocfs file system so that each node in the cluster will have access to the key. Is that all we will need to do and is this a supported configuration for TDE in a rac environment?
Do you have to open the wallet on each instance during instance startup when running rac?
Also we have a physicla standby server configured and I setup the same wallet location on the physicla standby and copied the wallet file over, Is that all we need to do for the standby server?
Thanks.Peter,
Good info and your video makes everything look easy.
In addition to the encrypted wallet file (ewallet.p12), I also have a cwallet.sso file in the local file system (not ACFS) on both RAC nodes of my Primary and both Standby nodes.
If I start the database and then run: SELECT * FROM V$ENCRYPTION_WALLET; it says the wallet status is open. However, as soon as a user tries to connect through our application (using jdbc), I get the "ORA-28365: wallet is not open" errors in the alert log. So then I have to run: ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<Wallet Password>"; on each node and then users can connect through the application.
Any ideas why auto-login doesn't work and why everything is grayed out on the Wallet Tab drop down menu in OWM?
Thanks. -
In Oracle TDE 11g R2, what's the difference between the TDE MEK(s):
ORACLE.TDE.HSM.MK
ORACLE.TSE.HSM.MK
Oracle TDE was searching (C_FindObjects) for a key with key label "ORACLE.TSE.HSM.MK.xxxxxxxxxxxxxx", but I don't have it. What is this key for ?
And, when it is not found, it reports: "ORA-28374: typed master key not found in wallet"
Thanks!
Best,
SteveHi,
OS: RedHat Linux 5 (Enterprise) 64 bits with Intel CPU
DB version: Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
HSM vendor: my own software implementation of PKCS #11 for educational purpose.
And, as for comparison, this works with SafeNet HSM (Protect C Toolkit Software version)
Best,
Steve
Edited by: 852756 on May 11, 2011 1:14 PM
Edited by: 852756 on May 11, 2011 1:17 PM -
TDE Table encryption SQL Query performance is very very slow
Hi,
We have done one column encryption for one table using TDE method with no salt option and it got impact the response time of sql query to 32 hours.
Oracle database version is 10.2.0.5
Example like
alter table abc modify (numberx encrypt no salt);
after encryption the SQL execution taking more time and below are the statement for the same.
================================
declare fNumber cardx.numberx%TYPE;
fCount integer :=0;
fserno cardx.serno%TYPE;
fcaccserno cardx.caccserno%TYPE;
ftrxnfeeprofserno cardx.trxnfeeprofserno%TYPE;
fstfinancial cardx.stfinancial%TYPE;
fexpirydate cardx.expirydate%TYPE;
fpreviousexpirydate cardx.previousexpirydate%TYPE;
fexpirydatestatus cardx.expirydatestatus%TYPE;
fblockeddate cardx.blockeddate%TYPE;
fproduct cardx.product%TYPE;
faccstmtsummaryind cardx.accstmtsummaryind%TYPE;
finstitution_id cardx.institution_id%TYPE;
fdefaultaccounttype cardx.defaultaccounttype%TYPE;
flanguagecode cardx.languagecode%TYPE;
froute integer;
begin for i in (select c.numberx from cardx c where c.stgeneral='NORM')
loop select c.serno, c.caccserno, c.trxnfeeprofserno, c.stfinancial, c.expirydate, c.previousexpirydate, c.expirydatestatus, c.blockeddate, c.product, c.accstmtsummaryind, c.institution_id, c.defaultaccounttype, c.languagecode, (select count(*) from caccountrouting ar where ar.cardxserno=c.serno and ar.rtrxntype=ISS_REWARDS.GetRewardTrxnTypeserno) into fserno, fcaccserno, ftrxnfeeprofserno, fstfinancial, fexpirydate, fpreviousexpirydate, fexpirydatestatus, fblockeddate, fproduct, faccstmtsummaryind, finstitution_id, fdefaultaccounttype, flanguagecode, froute from cardx c where c.numberx=i.numberx; fCount := fCount+1; end loop; dbms_output.put_line(fCount); end;
===============================
Any help would be great appreciate
Thanks,
Mohammed.
Edited by: Mohammed Yousuf on Oct 7, 2011 12:47 PMStill, that's not enough evidence to prove that TDE is indeed the culprit. Can you trace the query before and after enabling the TDE using 10046 and post it here.
Aman.... -
TDE failed with ORA-03113 on 11.2.0.3
Database version is 11.2.0.3 enterprise, OS is oracle enterprise linux 5.8
When trying to encrypt a column throw error
SQL> alter table accounts modify acct_number encrypt;
alter table accounts modify acct_number encrypt
ERROR at line 1:
ORA-03113: end-of-file on communication channel
Process ID: 10790
Session ID: 29 Serial number: 901
There are two instances setup on the same machine, tde works for one of them, not work for the other.
Does anyone encounter the same issue.
following thread is related, but the solution not work for us.
http://www.experts-exchange.com/Database/Oracle/Q_27759110.htmlPer white paper:
If the databases share the same ORACLE_HOME, they also share the same sqlnet.ora file in $TNS_ADMIN. In order to access their individual wallet, the DIRECTORY entry for the ENCRYPTION_WALLET_LOCATION needs to point each database to its own wallet location:
DIRECTORY = /etc/ORACLE/WALLETS/$ORACLE_UNQNAME
Can environment variable be used in sqlnet.ora file? it seems not work.
Thanks a lot. -
Hi,
What are some best practices to implement TDE?
ThanksMake sure the path specified in ENCRYPTION_WALLET_LOCATION exists and is accessible to the oracle user,
or you didn't use blank spaces in sqlnet.ora for the parameter if you wrote it on multiple lines, something like:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/server_wallet)
It should be:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/server_wallet) -
How to Secure SQL SERVER 2012 Backup without using TDE or any thirdparty backup solution
Hi Experts
Actually I was using backup set password feature for MS SQL SERVER 2008 but it is dropped in new versions (2012 & 2014). Please suggest some options to making the backups secure without using TDE or any third party tools.Hi khalil_pak,
The WITH PASSWORD feature didn't really encrypt your backup. It just made it difficult for someone to accidentally restore the backup when they were not allowed to. And as other post, the password option is weak and could be broken easily.
The only true way to protect the data is to encrypt the data at the source by encrypting the database with
TDE. Or you can choose to use
cell-level encryption to encrypt sensitive data.
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support -
I understand that the implementation of just about any database encryption solution, is going to result in a some degree of a performance hit, especially as searches are performed against the database, but none-the-less, we are thinking about implementing the Oracle TDE solution and as recommended, just isolating encryption needs to ONLY necessary columns of data - in our case, columns pertaining to private ASNWER (results) data and/or PII (Pers. Ident. Info.). This being said, is anyone else doing something similar with TDE, or does anyone have any pointers up front on what to look out for, what to expect, and how they are operating with TDE. (Just reaching out for some thoughts, insight, comments, and/or warnings)... Thank you very much. - Jason
Yes, we have many customers using it, please check my updated TDE best practices paper; it has lots of hints and tricks and things to look out for:
Available from http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html (scroll down, please).
Thanks, Peter -
Maximum TDES length data to cipher
Hi,
I have been testing with the creation of TDES keys, and using to cipher data, and with the results I'm receiving i'm wondering If there is any limit on TripleDes with the length of the data to cipher because I'm only able to cipher data from 8,16 bytes, up to 32 it returns me an 6F00 error also doing a try catch:
cipher= Cipher.getInstance(Cipher.ALG_DES_CBC_NOPAD,false);
cipher.init(des,Cipher.MODE_DECRYPT,new byte[]{0,0,0,0,0,0,0,0},(short)0,(short)8);
try{
cipheredataL=cipher.doFinal(data2cipher,(short)0, (short)32, randomD_cipher, (short)0);
}catch(CryptoException crypto){
if (crypto.getReason() == CryptoException.UNINITIALIZED_KEY)
ISOException.throwIt(ISO7816.SW_FILE_FULL);
else if (crypto.getReason() == CryptoException.INVALID_INIT)
ISOException.throwIt(ISO7816.SW_FILE_NOT_FOUND);
else if (crypto.getReason() == CryptoException.ILLEGAL_USE)
ISOException.throwIt(ISO7816.SW_FILE_INVALID);
else
ISOException.throwIt(ISO7816.SW_RECORD_NOT_FOUND);
Thanks for your help another time :)I am not aware of a size limit for<tt> cipher.doFinal </tt>.
Could it be that your<tt> data2cipher </tt> variable is shorter than 32 bytes, or/and its allocation fails?
Maybe you are looking for
-
I am setting up a new iMac and need help syncing files to Dropbox. On my old computer I had it set where when I saved a document, it was saved on my hard drive, as well as to a folder in Dropbox. I can't remember how I set this up. Any help?
-
Open file in Quark 7 and Finder text is scrambled
After I opened a Quark 7.31 document with font problems the text in the menu bar of my iMac running 10.5.2 got corrupted, starting words with 'x' or deleting the first character "Thu" on the clock read "hu" Apple menu also affected. Can an app mess u
-
Billing document text determination from SO10
Hello! Tricky question: We created a new text type for billing document header (we will call it Z001) . We can also determine that this text will appear in billing document (SD basics) But we want to do something tricky: I want to create a text in SO
-
Unhandled exception detected during a "MergeData" operation.
I am trying to open a Interactive PDF form through browser window. I am running a SAP ABAP+Java ERP ECC 6.0 system and i have installed ADS service. All four tests, FP_TEST_00, FP_PDF_TEST_00, FP_TEST_IA_00 and FP_CHECK_DESTINATION_SERVICE run okay a
-
I've looked this up elsewhere, and nothing has been working so far. I want to get advice before I do something that may cause more harm. I'm a new Mac user, so I don't know much about troubleshooting. My MacBook was working yesterday. I went to turn