Oracle Database 11 g - Online Public Access Catalog

260 CHAPTER 5 ■ DATABASE SECURITYThis is so because so many people have access to all these layers. With HSM, the keys are notstored in an operating system but at the physical device.You can configure HSMs such as Ingrian to be tamper-resistant. Ingrian is certified to FIPS140-2 Level 3, the widely accepted standard of government-specified best practices for networksecurity. Private keys are generated and stored in encrypted form within the HSM. Keys storedin the HSM are protected from physical attacks and cannot be compromised even by stealingthe Ingrian appliance. Attempts made to tamper with or probe the card will result in the immediatedestruction of all private key data, making it virtually impossible for either external orinternal hackers to access this vital information. 1The HSM product will be configured by the security administrator. Once the HSM productis configured successfully, you can proceed to modify your sqlnet.ora file and change theMETHOD value. Earlier in the chapter, you learned how to create a wallet and the method of thewallet in the operating system designated as a file. When you set up an HSM product, you mustassign the METHOD option the value of HSM, as shown here:ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM)(METHOD_DATA=(DIRECTORY=/apps/oracle/admin/DBATOOLS/wallet)))The DIRECTORY value in this example is not required by the HSM but may be by other Oracleproducts such as RMAN. The DIRECTORY option is also mandatory when migrating from a software-basedwallet. The DIRECTORY path is used to locate the old wallet file.Your vendor will provide the appropriate PKCS#11 (an API defining a generic interface tocryptographic tokens) library file. TDE integration with HSM must utilize this library file providedby the vendor to interface with the HSM. You will need to copy the library file to a location inyour operating system accessible to the database server. A new database user is also requiredfor the database to communicate with the HSM. Once done, you will have to generate themaster encryption key for the HSM and open the new wallet with the designated user ID andpassword using the following syntax:alter system set encryption key identified by user_Id:password;You can optionally use the MIGRATE USING wallet password clause if you are migratingfrom an existing software-based wallet. The MIGRATE clause will decrypt the existing columnencryption keys and then encrypt them with the newly created, HSM-based master encryptionkey.There will be additional setup requirements provided by the HSM vendor to integrateOracle TDE with HSM. Once the HSM and TDE integration is complete, HSM can be used justlike any other software wallet.Oracle Advanced Security FeaturesIn addition to the security features available for mainstream DBAs, Oracle Database 11gstrengthens its premier advanced security options. The Oracle Kerberos client adds supportfor encryption algorithms such as 3DES and AES, thus making Kerberos more secure. Additionally,the enhanced Kerberos operates seamlessly with Microsoft and MIT Key Distribution1. Best practices for employing encryption to achieve maximum security from Ingrian Networks