Oracle Vault-principles, installation, and Configuration

Source: Internet
Author: User

Security is a critical consideration for information systems. According to the widespread attention caused by the explosion of information and data leakage in the world in recent years, without data security, there is no sustained trust from customers, and there is no survival space for enterprises.
 
Security threats are a comprehensive scope. The main point is that it is composed of many factors, such as the widespread internet attacks by external hackers. However, according to statistics, the vast majority of the situations faced by our company are internal threats to Data. Many confidential and private data are not stolen by "ubiquitous" hackers, but are caused by "moles" in the O & M department, Development Department, and business department.
 
Internal security is actually a very conflicting non-technical issue. If data is not released to internal personnel, a lot of work cannot be done. If you open data to internal personnel, especially third-party service provider personnel, your data is not guaranteed.
 
Of course, many organizations and organizations have also tried some ways to deal with such problems. For example, legal confidentiality agreements and multi-layer approval mechanisms can only alleviate the problem to a certain extent. One of the most useful methods is separation of duties and single-person value. That is to say, one person can assume only one single role, but it is only a part of the whole process of data access. The risk of leaks from a single employee is high, but the risk of leaks from all points in the entire workflow and even the entire team is greatly reduced.
 
As the most mature commercial database, Oracle database provides many security O & M tool solutions for a large number of user groups while stabilizing its core functions. At the data layer, Oracle has three new technologies: Virtual Private Database (VPD), Label Security, and Oracle Vault. VPD is mainly used to add data access permissions to meet data access needs at the application layer. Label Security is an extended upgrade of VPD to some extent. While Vault separates the security responsibilities of Oracle databases, disconnects data security responsibilities from users and even sys, and distributes fine-grained security responsibilities.
 
 

1. Oracle Vault Overview
 
 

Oracle Vault is one of the officially recommended security policies. It is mainly used for data protection in O & M organizations. In the traditional sense, Oracle Security is a master model of "sys God. Although we have various system, role, and object permissions, although various security manuals require us to use non-sys users for maintenance work, many database administrators still use sys for all work. Some data protection technologies, such as VPD, can implement data-level control, but it is ineffective for sys.
 
More importantly, the system permissions of some any classes, such as select any table, once granted, the user actually controls the data access to all data tables. This is a very arbitrary practice, with a huge potential.
 
Under the control of the "sys God", such a situation cannot be controlled. Some O & M operations, such as data backup, import and export, cannot avoid advanced access permissions. "Don't do it, don't worry" is the current situation of many O & M institutions.
 
Oracle Vault provides a sys user permission reduction option. As an optional Component of Oracle Database, Vault requires additional file links, registration, and installation. After the vault is installed, Oracle will create a brand new user dbvowner. The original sys may also control some data operations and access permissions.
 
Three core elements in Vault: Realm, Factor, and Rule ). Restrict or protect specific objects from multiple aspects such as data objects and operation commands.
 
This series describes how to install, configure, and use Oracle Vault. First, we will introduce how to install the vault.
 
 

2. Oracle Vault prerequisites
 
 

By default, the Vault is not installed on the Enterprise Edition. We need to manually compile and install the tool before it can be used.
 
We use Oracle 11gR2 for testing. The version is 11.2.0.4.
 
 

SQL> select * from v $ version;
 
 

BANNER
 
-----------------------------------------
 
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-Production
 
PL/SQL Release 11.2.0.4.0-Production
 
CORE 11.2.0.4.0 Production
 
 

TNS for Linux: Version 11.2.0.4.0-Production
 
NLSRTL Version 11.2.0.4.0-Production
 
 

Check whether the current vault is installed and view the v $ option view.
 
 

SQL> select * from v $ option where parameter like '% Vault % ';
 
 

PARAMETER VALUE
 
-----------------------------------
 
Oracle Database Vault FALSE
 
 

Shut down the database, listener, and DB Console before installing the configuration.
 
 

-- Listener
 
[Oracle @ SimpleLinux ~] $ Lsnrctl stop
 
 

LSNRCTL for Linux: Version 11.2.0.4.0-Production on 07-APR-2014 12:41:34
 
 

Copyright (c) 1991,201 3, Oracle. All rights reserved.
 
 

Connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = SimpleLinux) (PORT = 1521 )))
 
The command completed successfully
 
 

-- Console
 
[Oracle @ SimpleLinux ~] $ Emctl stop dbconsole
 
Oracle Enterprise Manager 11g Database Control Release 11.2.0.4.0

Copyright (c) 1996,201 3 Oracle Corporation. All rights reserved.
 
Https: // SimpleLinux: 1158/em/console/aboutApplication
 
Stopping Oracle Enterprise Manager 11g Database Control...

... Stopped.
 
 

-- Database Server
 
SQL> shutdown immediate;
 
Database closed.
 
Database dismounted.
 
ORACLE instance shut down.
 
 

3. Component Compilation
 
 

Oracle Vault depends on Label Security and must be configured at the operating system level. In Linux/Unix, use make to configure the link.
 
 

[Oracle @ SimpleLinux lib] $ cd $ ORACLE_HOME/rdbms/lib
 
[Oracle @ SimpleLinux lib] $ make-f ins_rdbms.mk dv_on lbac_on ioracle
 
/Usr/bin/ar d/u01/app/oracle/rdbms/lib/libknlopt. a kzvnewcastle. o
 
/Usr/bin/ar cr/u01/app/oracle/rdbms/lib/libknlopt. a/u01/app/oracle/rdbms/lib/kzvidv. o

/Usr/bin/ar d/u01/app/oracle/rdbms/lib/libknlopt. a kzlnlbac. o
 
/Usr/bin/ar cr/u01/app/oracle/rdbms/lib/libknlopt. a/u01/app/oracle/rdbms/lib/kzlilbac. o

Chmod 755/u01/app/oracle/bin
 
 

-Linking Oracle

Rm-f/u01/app/oracle/rdbms/lib/oracle
 
Gcc-o/u01/app/oracle/rdbms/lib/oracle-m32-z noexecstack-L/u01/app/oracle/rdbms/lib/-L/u01/app/ oracle/lib/-L/u01/app/oracle/lib/stubs/-L/u01/app/oracle/lib/-lirc-lipgo-Wl, -E/u01/app/oracle/rdbms/lib/opimai. o

(Space reasons, omitted ......)
 
-L/u01/app/oracle/lib
 
Test! -F/u01/app/oracle/bin/oracle | \
 
Mv-f/u01/app/oracle/bin/oracle/u01/app/oracle/bin/LEO Leo
 
Mv/u01/app/oracle/rdbms/lib/oracle/u01/app/oracle/bin/oracle
 
Chmod 6751/u01/app/oracle/bin/oracle
 
 

Note: If you need to access the storage using the IPC protocol in Exadata, you need to add the ipc_rds protocol module. In addition, for Windows, the oradv11.dll. dbl command in the $ ORACLE_HOME/bin directory is changed to oradv11.dll.
 
Then restart the listener and server.
 
 

[Oracle @ SimpleLinux lib] $ lsnrctl start
 
 

SQL> conn/as sysdba
 
Connected to an idle instance.
 
SQL> startup
 
ORACLE instance started.
 
 

Total System Global Area 372449280 bytes
 
Fixed Size 1364732 bytes
 
Variable Size 281021700 bytes

For more details, please continue to read the highlights on the next page:

  • 1
  • 2
  • Next Page

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.