8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23ai | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Encrypt Sensitive Credential Data in the Data Dictionary in Oracle Database 18c
The data dictionary contains credentials for database links (SYS.LINK$
) and the scheduler (SYS.SCHEDULER$_CREDENTIAL
). These credentials are obfuscated, not encrypted. This article gives an overview of encrypting sensitive credential data in the data dictionary. This feature was introduced in Oracle database 18c.
- Create a Key Management User
- Wallet Setup
- Encrypt Credentials
- Rekey Credentials
- Views
- Application Containers
Create a Key Management User
Login as a privileged user and create a new key management user, granting it the SYSKM
administrative privilege.
conn sys/SysPassword1@//localhost:1521/cdb1 as sysdba create user c##km_user identified by MyPassword1; grant syskm to c##km_user container=all;
Wallet Setup
We create a location to hold our wallet.
mkdir -p /u01/wallets/cdb1
Edit the "sqlnet.ora" file, setting the correct location for the wallet.
ENCRYPTION_WALLET_LOCATION = (SOURCE =(METHOD = FILE)(METHOD_DATA = (DIRECTORY = /u01/wallets/cdb1/)))
If you are using a read-only Oracle home, the "sqlnet.ora" file is stored outside the main Oracle home.
-- Normal Oracle home. $ORACLE_HOME/network/admin/sqlnet.ora -- Read-only Oracle home. $(orabasehome)/network/admin/sqlnet.ora
We connect to the root container using the key management user and create a new wallet.
conn c##km_user/MyPassword1@//localhost:1521/cdb1 as syskm administer key management create keystore '/u01/wallets/cdb1' identified by "WalletPassword1"; administer key management set keystore open identified by "WalletPassword1"; administer key management set encryption key identified by "WalletPassword1" with backup;
We can see the wallet listed in the V$ENCRYPTION_WALLET
view.
column wrl_parameter format a20 select wallet_type, wrl_parameter, status from v$encryption_wallet; WALLET_TYPE WRL_PARAMETER STATUS -------------------- -------------------- ------------------------------ PASSWORD /u01/wallets/cdb1/ OPEN SQL>
Encrypt Credentials
We encrypt the credentials in the data dictionary and check the DICTIONARY_CREDENTIALS_ENCRYPT
view.
alter database dictionary encrypt credentials; select enforcement from dictionary_credentials_encrypt; ENFORCEM -------- ENABLED SQL>
Rekey Credentials
We rekey the credentials in the data dictionary using the following command.
alter database dictionary rekey credentials;
Delete Credentials
We delete the encrypted credentials from the data dictionary using the following command. Any future credentials will be obfuscated, not encrypted.
alter database dictionary delete credentials key; select enforcement from dictionary_credentials_encrypt; ENFORCEM -------- DISABLED SQL>
We need to set the correct credentials for each database link using the following command.
alter database link {database_link_name} connect to {schema_name} identified by {password};
Views
The {CDB|DBA|ALL|USER}_DB_LINKS
views list the database links. The VALID
column indicates is the database link is valid.
The DICTIONARY_CREDENTIALS_ENCRYPT
view indicates if dictionary credentials have been encrypted, as show above.
Application Containers
The examples above have all been performed in the root container. Similar actions are possible from an application root. In the case of the key management commands, they should be appended with the CONTAINER=ALL
clause.
All PDBs below the application root container have to be synchronised using the following command after each key operation.
ALTER PLUGGABLE DATABASE APPLICATION APP$CDB$SYSTEM SYNC;
For more information see:
Hope this helps. Regards Tim...