Database Vault/Enabling Advanced Database Options:

1)To check if Database Vault/Advances Security options are Enabled or Disabled.(Default is Disabled)

If Advanced Options are Enabled following result can be seen on login:

Enabling Database Vault using “chopt” utility from 11gr2.

Check the location for chopt

Installing the Vault: Run these two commands one by one

Start the Database Creation Utility (DBCA) for configuring Advanced Security Options from
Command Prompt:

Follow the screen by selecting options as required:

Click Next and Continue
Select Second option for Configure Database Options and click next and continue
Select the Database for which Vault needs to be configured

Option for Oracle Label Security will be uncommented.

If Options is still greyed out rerun the chopt command once again
Select Option for Oracle Label Security it will also uncomment option of Oracle Database Vault and
select Next

Select the Option of Dedicated Server Mode and click on Finish to complete the configuration.

At this Stage Vault installation is completed Vault schema named “DBVOWNER” is created in
database which is to be used for vault configuration and other admin options
Note: Grant select_catalog_role and select any dictionary privilege to dbvowner.

Login to Vault Console from OEM

Vault Administration is done easily from OEM/Db console Hit the below URL to login to Vault
console
https://hostname:1158/dva/.
Vault Administration Page:

1) Creating Realm(Rule) which prohibits sys or any superuser to access sensitive data from the
database schemas:
Sys or any Superuser have all access on schema objects after creating realm from DB vault we can
protect this unauthorized access:
Rule created to protect access for test50 schema

By creating this Rule sys user or user with admin options can no longer have access to objects to
test50 schema. This makes application data to be out of reach of Admins

2) Segregation of operations performed on Database among multiple machines(Only select privilege

for user if connection coming from particular Ip address).Useful in Distributed environments
Created connection between local machine (10.194.180.44) and remote machine(10.194.170.72)
Connecting from local machine:
Connecting from remote machine:

Similar privileges can be given for insert, update and delete from local or remote manchine.

3) Not allowing users to connect from sqlplus or any other tool except superadmins from server
even if they have privileges. This prevents unnecessary direct access to database

Note: This may disable login from sqlplus

4) Using Role in Vault:
Create Role which has privilege to access tables from test50 schema. When this role is assigned to
another user he will get access to schema test50 as described by conditions in Role.
Eg-Role “SECUREROLE” created with privilege to access test table data for Priv52 user and he can
access tables only if he is connected locally

If same user tries to access data remotely or through any other machine he will get below error:
5) Allowing all connections to database from authenticated host:
This rule will disallow any connection to database other than hosts we specified, hence only
authorized hosts are allowed to establish connection.
Create Rule set followed by creating command rule,
Rule set condition:
If using Ip:- SYS_CONTEXT('USERENV','HOST') = 'standby.dba.com'

If using Service Name:- SYS_CONTEXT('USERENV','SERVICE_NAME’)=’ORADB’

Command Rule: Create command rule selecting “connect” from list and rule set we created

Now try to connect from remote machine

This Action is audited and can be seen in Reports below:

Reports:
Vault Provides Reporting option for each violation of rules, These reports along with General
Database Security reports are available on Database vault page:

All Vault violations are available under Database Vault Reports tab:

General Database Reports relating with security of Database is available under General Security
Reports.
e.g Report for users with DBA role:
 Data Masking
Data Masking is option of Advanced Security which is enabled automatically after enabling Advanced
Security option. Oracle provides dbms_crypto in earlier version but it is advised to use Data Masking
pack starting from 11g.
Important columns data is masked in order to keep sensitive data out of reach to some set of people
working with the data.
Data Masking is also important when someone from offshore wants to work with live data where
sensitive data has be masked
1) Masking important data from PRIV1 schema table named INFO_ACCESS which contains credit card
numbers and password and providing this data which is copied over to offshore/remote location.

Data Masking is done by Specifying Definitions as seen below:Masked columns are Name,
Card_Number and Password

Message Script Not Generated is because Data is cloned directly on remote host and masked on
local host.
Once the Definition is created using appropriate Format options this data can be transferred to
remote location with help of standard oracle tools

This Data is dumped to another database named “testdb” with masked values of columns.
Similarly Sensitive columns can be masked.
Note: Columns which are referencing to Primary key(Foreign key) are automatically masked even
though we don’t define a definition for them.

2) Masking data on local machine including foreign key:

Table Product from Mask schema contains foreign key on Supplier table, Columns
Supplier_id,Supplier_name and Email_id are masked.Supplier_Id is primary key referenced on
Product table.

Supplier Table:
SUPPLIER_ID SUPPLIER_NAME CONTACT_NAME EMAIL_ID
-------------------------------------------------- --------------------
121 athens greece athen.gre@gmail.com

254 london England eng.gre@gmail.com

845 oracle corp ora.corp@gmail.com

Creating Definitions for table as below:

As seen above foreign key is automatically added to the configuration.Format Option can be used to
specify type of data to be generated

This configuration can be changed any time.

Running configuration to Mask the values:
Once Defination is created by specifying format we have to Generate script followed by scheduling
the job.
Click on Generate Script Option first which generated script

Once Script is Genarated Select option for Schedule Job.

Scheduing the job can be done immediately which will mask the values or can be done at any time.
Also same Genarated script can be used for scheduling multiple jobs after new data is been added.
Provide Host Credentials and then submit the job.

Status of the job can be seen by View Details option Data will be masked if all Execution status
returns as “succeeded”.

Verifying Data:
Masked Values from Supplier Table:

Supplier_ID,Supplier_Name and EMAIL_ID with Masked Values

Masked values from Products table with foreign key on Supplier_ID:

3) Masking Sensitive Values eg. Credit Card Numbers, pin etc:
Table Bank_Ac contains data of customers along with credit card number and pin values. This
Sensitive data will be masked using oracle provided functions:
SQL> select CREDIT_NO,PIN from BANK_AC; (Before Masking)

CREDIT_NO PIN
---------------- ----------
459865212547893 4587
458963154785249 6584
456398754312598 8954
458596357845215 4575
453545781524569 2547

SQL> select FIRST_NAME,LAST_NAME from BANK_AC;

FIRST_NAME LAST_NAME
---------- ----------
wayne rooney
google chrome
firefox mozilla
microsoft azure
cloud sales
Columns CREDIT_NO and PIN,and NAME will be masked as below:

Creating Defination for table Bank_Acc with this two columns

Format used to Mask Credit_Card numbers can be seen by clicking on Format option of Credit_No
column

If want to create new format click on Import Format option from where Default formats can be
added or created

Similar formats can be described for remaining columns. Run this rule using same method as
described above.

Verifying Data: Masked values of BANK_AC table

Columns First_Name, Last_Name, Credit_No and pin are masked as seen above.

Transparent Data Encryption

Data residing on Hard drives/Storage can be easily read from datafiles using OS utilities,which
makes it important to encrypt data if storage is on offshore Data center.
Column encryption is enhanced from 10g where along with column encryption Transparent
Database encryption using advanced Algorithms is provided,to encrypt whole database.
Follow steps to Encrypt:
1)Creation of oracle Wallet and specify location of wallet in sqlnet.ora file.
Wallet can be created using orapki utility or manually.
Orapki : orapki wallet create -wallet /u03/wallet -auto_login –pwd “password1”
Manually:Create directory in /u03 location and from sys user use this command
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY “SENA120”;

While creating Tablespace specify Encryption Algorithm. Mostly used is ‘AES256’

Status can be checked from dba_tablespaces view

With this encryption algorithm data can’t be read from any OS tools