Oracle Advanced Security Option With SAP

7/18/2019 Oracle Advanced Security Option With SAP

http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 1/14

Oracle AdvancedSecurity Option with

SAP

Sanjay Kulkarni,Database Platforms Group

SAP AG



© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 2

Oracle ASO with SAP – General Remarks

Oracle ASO Option offers following features: Database Authentication

Encryption (TDE and Network Encryption)

Oracle ASO implementation should take care of parts of theregulatory & compliance requirements such as SB 1386 and

Sarbanes - Oxley.

Provides flexibility in implementation, can use Native Oraclemethods or industry standards such as SSL etc.

Provides several tools which simplify management & configurationtasks.

Oracle ASO needs to be licensed separately, if you have Oraclelicenses through SAP, then ASO is already covered.

With Oracle 10.2, SAP customers already install the Oracle ASOsoftware option with the database.




Oracle ASO with SAP – General Information

SAP wil l support & certi fy In-transit data encryption (Networkencryption with Data Integrity) and Transaparent Data Encryption(TDE).

Both TDE and In-transit data encryption (Network encryption with

data integrity) are released in PILOT PHASE.

Authentication feature of ASO is still being evaluated in regards tothe integration effort needed with the SAP application.

Each ASO feature will be certified with the ABAP as well as theJava stack.

Some general good practices: Apply the the latest patchset for your release.

Apply the latest CPU (critical patch updates)

Apply al l the needed one-off patches for your release

Implement the SAP recommedations with regards to databaseparameterization for your release / product.


http://slidepdf.com/reader/full/oracle-advanced-security-option-with-sap 4/14© SAP AG 2002, Oracle ASO with SAP. Sanjay Kulkarni 4

Oracle ASO with SAP – Software Installation

ASO option needs to be installed before any configuration can be started.

A simple check on UNIX would be to run the adapters command asora<dbsid>.

Output looks something like:Installed Oracle Advanced Security options are:

RC4 40-bit encrypt ionRC4 56-bit encrypt ion

RC4 128-bit encryption

RC4 256-bit encryption

DES40 40-bit encryption

On Windows simply start the runInstaller and check if ASO has beeninstalled by looking at the list of Installed components.

In case you intend to use Net Manager for configuration please make surethat the file $ORACLE_HOME/network/tools/NetProperties

INSTALLEDCOMPONENTS=ASO,ORACLENET



Oracle ASO with SAP – Network Encryption

Plain text data exchange between client and server is encryptedbased on a key.

Supported algorithms for data encryption include AES, DES, 3DESand RC4 each with different key length combinations.

Key distribution managed using the Diff ie-Hellman negotiationalgorithm.

Encryption of in-transit data can also be carried out using SSL.

Choice depends on infrastructure / implementation at customersite. From an SAP perspective customers can choose thealgorithm to be used for Network encryption.




Configuration / implementation effort is minimal and completelytransparent to the SAP application. (additional parameters insqlnet.ora)

Native Network Encrpytion (non-SSL based) is already released for

piloting for SAP products based on Kernels 700 and 640.

The only pre-requisite is that the DB server should be at leastOracle 10.2.0.2 and for the 640 system the Oracle client should beat least Oracle 9.2.0.7.

For Java systems client side configuration is currently notpossible and therefore Network Encryption needs to be controlledfrom the server side only.




Configuration can be done manually by editing the sqlnet.ora or byusing the Oralce Net Manager

SQLNET.ENCRYPTION_SERVER=[accepted|rejected|requested|required]

SQLNET.ENCRYPTION_TYPES_SERVER = (AES192,DES,RC4_256)

SQLNET.ENCRYPTION_CLIENT=[accepted|rejected|requested|required]

SQLNET.ENCRYPTION_TYPES_CLIENT = (AES192,DES,RC4_256)

SQLNET.CRYPTO_SEED parameter is optional

Possible values for SQLNET.ENCRYPTION_SERVER

ACCEPTED: Default, enabled if other side requests encryption

REJECTED: Don’t enable if the other side requests encryption

REQUESTED: Enable encryption, if other side allows it.

REQUIRED: Enable encryption otherwise abort the connection.




CLIENT

Accepted Rejected Requested Required

Accepted OFF OFF ON ON

Rejected OFF OFF OFF 12660

Requested ON OFF ON ON

Required ON 12660 ON ON

SERVER



Oracle ASO with SAP – Data Integrity

Data Integrity feature protects the data from the data modification and the data

replay attacks.

Enabling data integrity again involves parameters in sqlnet.ora SQLNET.CRYPTO_CHECKSUM_SERVER=[accepted|rejected|requested|required]

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1,MD5)

SQLNET.CRYPTO_CHECKSUM_CLIENT=[accepted|rejected|requested|required]

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA1,MD5)

ASO supports use of the MD5 and the SHA-1 algorithms for implementation of DataIntegrity.

Data Integrity is independent of the In-transit data encryption

Network trace:

[18-AUG-2006 10:23:29:237] na_tns: Secure Network Services is available.

[18-AUG-2006 10:23:29:237] nau_adi: entry

[18-AUG-2006 10:23:29:237] nau_adi: exit

[18-AUG-2006 10:23:29:237] na_tns: authentication is not active

[18-AUG-2006 10:23:29:237] na_tns: encryption is active, using RC4_40

[18-AUG-2006 10:23:29:237] na_tns: crypto-checksumming is not active

[18-AUG-2006 10:23:29:237] na_tns: exit



Oracle ASO with SAP – Transparent Data Encryption

Encryption of the data writ ten to database can be achieved in 3 ways:

DBMS_CRYPTO (no plans for SAP support)

DBMS_OBFUSCATION_TOOLKIT (no plans for SAP support)

TDE (new feature with Oracle 10.2)

TDE is key based access control system where the data stored in the table

colums is encrypted. The keys for all tables containing encrypted columnsare themselves encrypted using a Database Master Key and stored in adictionary table.

Master key itself stored outside the database in a wallet specified by the

wallet location. Wallet can also be used to generate encryption keys.

Two parts to enable TDE

Generating the database master key and putting it to the wallet. (Encryptionalgorithm used is AES or 3DES)

Encrypting data within columns

Recommended to use a separate wallet for TDE (located underENCRYPTION_WALLET_LOCATION)




Oracle ASO with SAP – Transparent Data Encryption

Following data types supported with TDE:

CHAR

DATE

NUMBER

NCHAR

VARCHAR2 NVARCHAR2

Encryption algorithms supported are AES and 3DES.

For creating indexes columns need to be encrypted with the NO SALToption. SALT is used to strengthen encryption.

Wallet Management can be handled via Oracle Wallet Manager includingintegration with existing PKI.

Export / Import Considerations

Useful views for TDE: ALL_ENCRYPTED_COLUMNS (access based view)

DBA_ENCRYPTED_COLUMNS (all encrypted objects)

USER_ENCRYPTED_COLUMNS (schema encrypted objects)

O SO S




Oracle ASO with SAP – TDE Limitations

Some Technical Limitations

Native imp / exp not supported. Only Data Pump.

Transportable Tablespaces not supported

Partitioning cant be done using encrypted columns

No LOBS support

Only B-tree index types supported Index Range scan search

TDE does not replace the need for an appropriate authorization / accesscontrol mechanism.

Since enabling encryption involves change in table characteristics a FULLTABLE UPDATE may cause performance overhead.

Currently SAP DDIC and tools such as R3load are not aware about theencryption attribute.

A general recommendation is to minimize the number of encryptedcolumns (only columns containing PII)

O l ASO ith SAP D t ti




Oracle ASO with SAP – Documentation

Useful SAP Notes (either released or planned)

SAP Note 926023: Oracle Database Security

SAP Note 105047: Support for Oracle Functions in an SAPEnvironment

SAP Note 973450: Oracle ASO: Network Encryption / Data Integrity

SAP Note 828268: Oracle Database 10g: New Functions

SAP Note 974876: Oracle ASO: Transparent Data Encryption

SAP Note 834917: New Database Role SAPCONN

Useful Metalink Notes: 207959.1: All About Oracle Security

165465.1: FAQ about Oracle ASO

317311.1: 10g R2 New Feature TDE

76637.1: Crypto Checksumming Configuration

76629.1: Configuration of ASO Encryption

132852.1: Enabling SSL Authentication

O l ASO ith SAP F t Di ti




Oracle ASO with SAP: Future Direction

Authentication

Tablespace Encryption

Date post:	01-Mar-2016
Category:	Documents
Upload:	suwatchai-manchansa
View:	11 times
Download:	0 times

Oracle Advanced Security Option With SAP

Documents