Date post: | 01-Mar-2016 |
Category: |
Documents |
Upload: | suwatchai-manchansa |
View: | 11 times |
Download: | 0 times |
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 1/14
Oracle AdvancedSecurity Option with
SAP
Sanjay Kulkarni,Database Platforms Group
SAP AG
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 2/14
© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 2
Oracle ASO with SAP – General Remarks
Oracle ASO Option offers following features: Database Authentication
Encryption (TDE and Network Encryption)
Oracle ASO implementation should take care of parts of theregulatory & compliance requirements such as SB 1386 and
Sarbanes - Oxley.
Provides flexibility in implementation, can use Native Oraclemethods or industry standards such as SSL etc.
Provides several tools which simplify management & configurationtasks.
Oracle ASO needs to be licensed separately, if you have Oraclelicenses through SAP, then ASO is already covered.
With Oracle 10.2, SAP customers already install the Oracle ASOsoftware option with the database.
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 3/14
© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 3
Oracle ASO with SAP – General Information
SAP wil l support & certi fy In-transit data encryption (Networkencryption with Data Integrity) and Transaparent Data Encryption(TDE).
Both TDE and In-transit data encryption (Network encryption with
data integrity) are released in PILOT PHASE.
Authentication feature of ASO is still being evaluated in regards tothe integration effort needed with the SAP application.
Each ASO feature will be certified with the ABAP as well as theJava stack.
Some general good practices: Apply the the latest patchset for your release.
Apply the latest CPU (critical patch updates)
Apply al l the needed one-off patches for your release
Implement the SAP recommedations with regards to databaseparameterization for your release / product.
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 4/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 4
Oracle ASO with SAP – Software Installation
ASO option needs to be installed before any configuration can be started.
A simple check on UNIX would be to run the adapters command asora<dbsid>.
Output looks something like:Installed Oracle Advanced Security options are:
RC4 40-bit encrypt ionRC4 56-bit encrypt ion
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
On Windows simply start the runInstaller and check if ASO has beeninstalled by looking at the list of Installed components.
In case you intend to use Net Manager for configuration please make surethat the file $ORACLE_HOME/network/tools/NetProperties
INSTALLEDCOMPONENTS=ASO,ORACLENET
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 5/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 5
Oracle ASO with SAP – Network Encryption
Plain text data exchange between client and server is encryptedbased on a key.
Supported algorithms for data encryption include AES, DES, 3DESand RC4 each with different key length combinations.
Key distribution managed using the Diff ie-Hellman negotiationalgorithm.
Encryption of in-transit data can also be carried out using SSL.
Choice depends on infrastructure / implementation at customersite. From an SAP perspective customers can choose thealgorithm to be used for Network encryption.
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 6/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 6
Oracle ASO with SAP – Network Encryption
Configuration / implementation effort is minimal and completelytransparent to the SAP application. (additional parameters insqlnet.ora)
Native Network Encrpytion (non-SSL based) is already released for
piloting for SAP products based on Kernels 700 and 640.
The only pre-requisite is that the DB server should be at leastOracle 10.2.0.2 and for the 640 system the Oracle client should beat least Oracle 9.2.0.7.
For Java systems client side configuration is currently notpossible and therefore Network Encryption needs to be controlledfrom the server side only.
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 7/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 7
Oracle ASO with SAP – Network Encryption
Configuration can be done manually by editing the sqlnet.ora or byusing the Oralce Net Manager
SQLNET.ENCRYPTION_SERVER=[accepted|rejected|requested|required]
SQLNET.ENCRYPTION_TYPES_SERVER = (AES192,DES,RC4_256)
SQLNET.ENCRYPTION_CLIENT=[accepted|rejected|requested|required]
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES192,DES,RC4_256)
SQLNET.CRYPTO_SEED parameter is optional
Possible values for SQLNET.ENCRYPTION_SERVER
ACCEPTED: Default, enabled if other side requests encryption
REJECTED: Don’t enable if the other side requests encryption
REQUESTED: Enable encryption, if other side allows it.
REQUIRED: Enable encryption otherwise abort the connection.
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 8/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 8
Oracle ASO with SAP – Network Encryption
CLIENT
Accepted Rejected Requested Required
Accepted OFF OFF ON ON
Rejected OFF OFF OFF 12660
Requested ON OFF ON ON
Required ON 12660 ON ON
SERVER
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 9/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 9
Oracle ASO with SAP – Data Integrity
Data Integrity feature protects the data from the data modification and the data
replay attacks.
Enabling data integrity again involves parameters in sqlnet.ora SQLNET.CRYPTO_CHECKSUM_SERVER=[accepted|rejected|requested|required]
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1,MD5)
SQLNET.CRYPTO_CHECKSUM_CLIENT=[accepted|rejected|requested|required]
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA1,MD5)
ASO supports use of the MD5 and the SHA-1 algorithms for implementation of DataIntegrity.
Data Integrity is independent of the In-transit data encryption
Network trace:
[18-AUG-2006 10:23:29:237] na_tns: Secure Network Services is available.
[18-AUG-2006 10:23:29:237] nau_adi: entry
[18-AUG-2006 10:23:29:237] nau_adi: exit
[18-AUG-2006 10:23:29:237] na_tns: authentication is not active
[18-AUG-2006 10:23:29:237] na_tns: encryption is active, using RC4_40
[18-AUG-2006 10:23:29:237] na_tns: crypto-checksumming is not active
[18-AUG-2006 10:23:29:237] na_tns: exit
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 10/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 10
Oracle ASO with SAP – Transparent Data Encryption
Encryption of the data writ ten to database can be achieved in 3 ways:
DBMS_CRYPTO (no plans for SAP support)
DBMS_OBFUSCATION_TOOLKIT (no plans for SAP support)
TDE (new feature with Oracle 10.2)
TDE is key based access control system where the data stored in the table
colums is encrypted. The keys for all tables containing encrypted columnsare themselves encrypted using a Database Master Key and stored in adictionary table.
Master key itself stored outside the database in a wallet specified by the
wallet location. Wallet can also be used to generate encryption keys.
Two parts to enable TDE
Generating the database master key and putting it to the wallet. (Encryptionalgorithm used is AES or 3DES)
Encrypting data within columns
Recommended to use a separate wallet for TDE (located underENCRYPTION_WALLET_LOCATION)
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 11/14
© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 11
Oracle ASO with SAP – Transparent Data Encryption
Following data types supported with TDE:
CHAR
DATE
NUMBER
NCHAR
VARCHAR2 NVARCHAR2
Encryption algorithms supported are AES and 3DES.
For creating indexes columns need to be encrypted with the NO SALToption. SALT is used to strengthen encryption.
Wallet Management can be handled via Oracle Wallet Manager includingintegration with existing PKI.
Export / Import Considerations
Useful views for TDE: ALL_ENCRYPTED_COLUMNS (access based view)
DBA_ENCRYPTED_COLUMNS (all encrypted objects)
USER_ENCRYPTED_COLUMNS (schema encrypted objects)
O SO S
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 12/14
© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 12
Oracle ASO with SAP – TDE Limitations
Some Technical Limitations
Native imp / exp not supported. Only Data Pump.
Transportable Tablespaces not supported
Partitioning cant be done using encrypted columns
No LOBS support
Only B-tree index types supported Index Range scan search
TDE does not replace the need for an appropriate authorization / accesscontrol mechanism.
Since enabling encryption involves change in table characteristics a FULLTABLE UPDATE may cause performance overhead.
Currently SAP DDIC and tools such as R3load are not aware about theencryption attribute.
A general recommendation is to minimize the number of encryptedcolumns (only columns containing PII)
O l ASO ith SAP D t ti
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 13/14
© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 13
Oracle ASO with SAP – Documentation
Useful SAP Notes (either released or planned)
SAP Note 926023: Oracle Database Security
SAP Note 105047: Support for Oracle Functions in an SAPEnvironment
SAP Note 973450: Oracle ASO: Network Encryption / Data Integrity
SAP Note 828268: Oracle Database 10g: New Functions
SAP Note 974876: Oracle ASO: Transparent Data Encryption
SAP Note 834917: New Database Role SAPCONN
Useful Metalink Notes: 207959.1: All About Oracle Security
165465.1: FAQ about Oracle ASO
317311.1: 10g R2 New Feature TDE
76637.1: Crypto Checksumming Configuration
76629.1: Configuration of ASO Encryption
132852.1: Enabling SSL Authentication
O l ASO ith SAP F t Di ti
7/18/2019 Oracle Advanced Security Option With SAP
http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 14/14
© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 14
Oracle ASO with SAP: Future Direction
Authentication
Tablespace Encryption