yu wang principal software engineer, oracle -...

HOL9762: Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Ramesh Nagappan Senior Principal Software Engineer, Oracle

Yu Wang Principal Software Engineer, Oracle

Xiaosong Zhu Senior Software Engineer, Oracle

Gang Wang Software Development Manager, Oracle

2

Table of Contents

Introduction ............................................................................................................................................................. 2 Prerequisites ............................................................................................................................................................ 2 Hardware/Software Requirements .......................................................................................................................... 2 Environment Configuration .................................................................................................................................... 2 Notes for Users ....................................................................................................................................................... 3 Exercise 1: Using Solaris Zones to Set up a Multitenant Database Environment (20 Minutes) ............................ 4 Exercise 2: Exploring Oracle Database 12c Multitenant (20 Minutes) ................................................................ 16 Exercise 3: Using Oracle Transparent Data Encryption with Solaris Cryptographic Framework (20 Minutes) . 22 Summary ............................................................................................................................................................... 26 See Also ................................................................................................................................................................ 26 About the Authors ................................................................................................................................................. 26

Introduction

Database multitenancy helps customers reduce IT costs by simplifying consolidation, provisioning, upgrades,

and more. However, it brings concerns about data security because the computing and storage resources are

shared to different users.

In this lab, you will explore different isolation and encryption approaches for securing multitenancy of Oracle

Database on Oracle Solaris 11: Solaris Zones, Oracle Solaris ZFS encryption, Oracle Database 12c pluggable

databases(PDB) and Oracle Advanced Security Transparent Data Encryption (TDE). Meanwhile, you also learn

about how TDE works with Solaris Cryptographic Framework.

Prerequisites

This hands-on lab assumes you have some basic knowledge about the following technologies.

Administration of Oracle Solaris or a similar UNIX or Linux OS

Oracle Database administration

SQL programming

Hardware/Software Requirements

Memory requirement: 8 GB

Disk space requirement: 50 GB

Oracle VM Virtualbox 4.3.14 (host OS: Windows 7/8, Oracle Enterprise Linux)

Operating System: Solaris 11.2

Oracle Database 12c Enterprise Edition

Oracle Database 11gr2 Enterprise Edition

Environment Configuration

3

Solaris 11.2 for x86 installed in Oracle VM Virtualbox 4.3.14

Pre-configured non-global zones:

o dbzone1: Oracle Database 12c Enterprise Edition pre-installed

o dbzone2: Oracle Database 11gr2 Enterprise Edition pre-installed

OS user name/password:

o labuser/solaris11

o root/solaris11

o oracle/solaris11

Database user name/password:

o SYS/solaris11

Notes for Users

The lab prefers the GNOME desktop environment over Oracle Solaris 11 (with desktop packages installed).

In order to open a terminal window in GNOME, right-click any point on the background of the desktop, and

select Open Terminal in the pop-up menu (as shown in Figure 1).

Figure 1. Open a terminal in Solaris 11

4

Exercise 1: Using Solaris Zones to Set up a

Multitenant Database Environment (20 Minutes)

In this exercise, you will use the Solaris Zones to set up a multitenant environment for different versions of

Oracle Databases.

What is multitenancy?

As one of essential characteristics of cloud computing, multitenancy is an architectural and operational

approach enabling IT providers to share infrastructure resources, deliver database or software functionality as a

service to one or more consumers (tenants). The resource control and data isolation are critical for this

multitenant architecture which can be implemented differently for different service models (IaaS, PaaS and

SaaS).

Nowadays, many providers are using KVM, Xen or other hypervisor based virtualization technologies to deploy

databases for multitenant usage. However, a hypervisor based virtualization usually has high overhead which

may limit the number of VMs that a physical machine can create. Therefore, we recommend you to use a

Solaris Zone which is an OS based light container with very small footprint. It can be used to not only deploy

multiple high performance database services, but also isolate the data effectively.

What is a Solaris Zone? A Solaris Zone is an implementation of operating system-level virtualization technology for x86 and SPARC

systems. A Solaris zone is the combination of system resource controls and the boundary separation. Zones act

as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets

of application services onto one system and by placing each into isolated virtual server containers, system

administrators can reduce cost and provide most of the same protections of separate machines on a single

machine.

Step 1: Start the preinstalled non-global zones

1. After logging in to Solaris 11 by using the username/password: labuser/solaris11, click the right mouse

button on the desktop and choose Open Terminal to bring up a terminal window (as shown in Figure 1).

In the opened terminal, switch to root/solaris11 in order to do zone administration. labuser@hol9762:~$ su -

Password:

Oracle Corporation SunOS 5.11 11.2 June 2014

You have new mail.

root@hol9762:~#

2. Check the pre-installed zones in the system.

root@hol9762:~# zoneadm list -cv

ID NAME STATUS PATH BRAND IP

0 global running / solaris shared

- dbzone1 installed /dbzone1 solaris excl

- dbzone2 installed /dbzone2 solaris excl

http://en.wikipedia.org/wiki/Operating_system-level_virtualization

5

From the output, you can see that there are two non-global zones, dbzone1 and dbzone2 pre-installed in Solaris

11. Oracle Database 12c and Oracle Database 11gr2 have been separately installed in these two zones. The

detailed configuration of two non-global zones is shown in Figure 2.

Figure 2. Multitenant database environment based on Solaris zones

3. Start the non-global zones: dbzone1 and dbzone2. root@hol9762:~# zoneadm -z dbzone1 boot

root@hol9762:~# zoneadm -z dbzone2 boot

Check to make sure that both of the zones are running now. root@hol9762:~# zoneadm list -cv

ID NAME STATUS PATH BRAND IP

0 global running / solaris shared

1 dbzone1 running /dbzone1 solaris excl

2 dbzone2 running /dbzone2 solaris excl

Step 2: Check the disk isolation

1. Find the disks available in the system by using the command of format. Please note that the first disk c1d0 is

working as the root zfs pool of the global zone. root@hol9762:~# format < /dev/null

Searching for disks...done

AVAILABLE DISK SELECTIONS:

0. c1d0 <VBOX HAR-59bffd1e-fb51c8a-0001-31.25GB>

/pci@0,0/pci-ide@1,1/ide@0/cmdk@0,0

1. c2t0d0 <VBOX-HARDDISK-1.0-16.00GB>

/pci@0,0/pci1000,8000@16/sd@0,0


/pci@0,0/pci1000,8000@16/sd@1,0


/pci@0,0/pci1000,8000@16/sd@2,0


/pci@0,0/pci1000,8000@16/sd@3,0

Specify disk (enter its number):

2. Type zonecfg to show the zone configuration of zones.

Global Zone

Oracle Solaris 11.2

dbzone1

Oracle DB

12c

vn

ic1

C2

t0d

0

C2

t2d

0

C2

t3d

0

dbzone2

Oracle DB

11g R2

Vn

ic2

C2

t1d

0

CPU

Mem

CPU CPU CPU

Mem

6

List the disks assigned to the zone dbzone1. root@hol9762:~# zonecfg -z dbzone1 info

zonename: dbzone1

…

rootzpool:

storage: dev:/dev/dsk/c2t0d0

zpool:

name: dbpool1


zpool:

name: dbpool2


There are three disks dedicated to the dbzone1, c2t0d0 is used as root zfs pool, while c2t2d0 and c2t3d0 will be

used to store database data in the following lab.

For the zone dbzone2, there’s only one disk c2t1d0 dedicated to the zone as the root zfs pool root@hol9762:~# zonecfg -z dbzone2 info

zonename: dbzone2

…

rootzpool:


Note: While configuring Solaris zones, you can decide whether or not use isolated storage according to the data

security requirements.

Step 3: Check the network isolation

1. Check the network pre-setup in the global zone.

Type the following command, you will find that there’s only one physical link available in the system. The

static ip of global zone is 192.168.56.200. root@hol9762:~# dladm show-phys

LINK MEDIA STATE SPEED DUPLEX DEVICE

net0 Ethernet up 1000 full e1000g0

root@hol9762:~# ipadm show-addr

ADDROBJ TYPE STATE ADDR

lo0/v4 static ok 127.0.0.1/8

net0/v4 static ok 192.168.56.200/24

Oracle Solaris 11 network virtualization features can be applied to a zone by creating a virtual NIC (VNIC) for

the zone and applying bandwidth limits to the zone's assigned VNIC.

The vnic1 and vnic2 are pre-created in the global zones and assigned to different zones while dbzone1/vnic1 and

dbzone2/vnic2 are created when the zones boot and will be deleted when the zones halt. root@hol9762:~# dladm show-vnic

LINK OVER SPEED MACADDRESS MACADDRTYPE VIDS

vnic1 net0 100 2:8:20:61:8c:fc random 0

dbzone1/vnic1 net0 100 2:8:20:61:8c:fc random 0

vnic2 net0 100 2:8:20:cf:2:1b random 0

dbzone2/vnic2 net0 100 2:8:20:cf:2:1b random 0

Solaris integrated QoS enabled bandwidth control on data links to share network bandwidth among your

applications while preventing misbehaving applications from taking all the network bandwidth. In the column

of SPEED, you can see that the max bandwidth of vnic1 and vnic2 are limited to 100M, but 1000M for the

physical link net0.

7

You need to assign more bandwidth for dbzone1 because dbzone1 may have more network traffic. Use the

following command to increase the max bandwidth of vnic1 from 100M to 500M. root@hol9762:~# dladm set-linkprop -p maxbw=500m vnic1

Check the changed bandwidth. root@hol9762:~# dladm show-vnic

LINK OVER SPEED MACADDRESS MACADDRTYPE VIDS

vnic1 net0 500 2:8:20:61:8c:fc random 0

dbzone1/vnic1 net0 500 2:8:20:61:8c:fc random 0

vnic2 net0 100 2:8:20:cf:2:1b random 0

dbzone2/vnic2 net0 100 2:8:20:cf:2:1b random 0

2. Check the network configuration of the zones.

Exclusive-IP zones enable you to assign a separate IP stack per zone. Each zone has the flexibility to configure

IP within that stack completely separate to other zones. Type the following command to show the configuration

of dbzone1. root@hol9762:~# zonecfg -z dbzone1 info

zonename: dbzone1

…

ip-type: exclusive

…

net:

address not specified

allowed-address not specified

configure-allowed-address: true

physical: vnic1

defrouter not specified

You will see the network configuration about dbzone1.

Type the following command to check the information about dbzone2. root@hol9762:~# zonecfg -z dbzone2 info

zonename: dbzone2

…

ip-type: exclusive

…

net:

address not specified

allowed-address not specified

configure-allowed-address: true

physical: vnic2

defrouter not specified

3. Monitor the network utilization.

Type zonestat in global zone to monitor the network utilization of the currently running zones. root@hol9762:~# zonestat -r network 2

Collecting data for first interval...

Interval: 1, Duration: 0:00:02

NETWORK-DEVICE SPEED STATE TYPE

net0 1000mbps up phys

ZONE TOBYTE MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE

[total] 336 - - 120 0.00% 132 0.00%

global 252 - - 120 0.00% 132 0.00%

dbzone1 42 500M 0.00% 0 0.00% 0 0.00%

dbzone2 42 100M 0.00% 0 0.00% 0 0.00%

Interval: 2, Duration: 0:00:04

NETWORK-DEVICE SPEED STATE TYPE

8

net0 1000mbps up phys

ZONE TOBYTE MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE

[total] 550 - - 120 0.00% 430 0.00%

global 550 - - 120 0.00% 430 0.00%

dbzone1 0 500M 0.00% 0 0.00% 0 0.00%

dbzone2 0 100M 0.00% 0 0.00% 0 0.00%

Type Ctrl+c to stop.

Note: zonestat can also be used in non-global zones to monitor the resource utilization of themselves.

Step 4: Assign CPUs to non-global zones

Zones induce a very low overhead on CPU and memory. Most types of zones share the global zone's virtual

address space. A zone can be assigned with a resource pool (processor set plus scheduling class) to guarantee

certain usage, or it can be capped at a fixed compute capacity ("dedicated CPU" or "capped CPU") or can be

given shares via fair-share scheduling.

In this lab, a resource pool’s been assigned to the zone dbzone1. Thus you can dynamically configure CPU

resources to the zone without rebooting it.

1. List the resource pool assigned to the zones. This shows that zonepool1 is bind with dbzone1. root@hol9762:~# zonecfg -z dbzone1 info

zonename: dbzone1

…

pool: zonepool1

2. Use pooladm to print out the currently running pools configuration. root@hol9762:~# pooladm

system default

string system.comment

int system.version 1

boolean system.bind-default true

string system.poold.objectives wt-load

pool zonepool1

int pool.sys_id 1

boolean pool.active true

boolean pool.default false

int pool.importance 1

string pool.comment

pset zonepool1-pset

pool pool_default

int pool.sys_id 0


boolean pool.default true


string pool.comment

pset pset_default

pset zonepool1-pset

int pset.sys_id 1

boolean pset.default false

uint pset.min 1

uint pset.max 1

string pset.policy minmax

string pset.restype cpu

string pset.reslist

string pset.units population

uint pset.load 0

uint pset.size 1

string pset.comment

http://en.wikipedia.org/wiki/Fair-share_scheduling

9

cpu

int cpu.sys_id 0

string cpu.comment

string cpu.status on-line

pset pset_default

int pset.sys_id -1

boolean pset.default true

uint pset.min 1

uint pset.max 65536



string pset.reslist


uint pset.load 30

uint pset.size 3

string pset.comment

cpu

int cpu.sys_id 1

string cpu.comment


cpu

int cpu.sys_id 3

string cpu.comment


cpu

int cpu.sys_id 2

string cpu.comment


As you can see the processor set, zonepool1-pset is created with 1 processor which is associated with the pool

zonepool1. And zonepool1 is bind with dbzone1.

3. Check the processors available in non-global zones.

Open a new terminal, and switch to root before trying to log in to dbzone1. labuser@hol9762:~$ su -

Password:


You have new mail.

root@hol9762:~#

Log in to the dbzone1. root@hol9762:~# zlogin dbzone1

In the terminal for dbzone1, check the CPUs assigned to it. root@dbzone1:~# psrinfo

0 on-line since 08/25/2014 04:30:44

As you can see, there’s one processor dedicated to dbzone1.

Open a new terminal, and switch to root before trying to log in to dbzone2. labuser@hol9762:~$ su -

Password:


You have new mail.

root@hol9762:~#

10

Log in to dbzone2. root@hol9762:~# zlogin dbzone2

Check the CPUs assigned to the zone dbzone2 by typing the command below. Three processors are working for

dbzone2 now. root@dbzone2:~# psrinfo

1 on-line since 08/25/2014 04:30:46

2 on-line since 08/25/2014 04:30:46

3 on-line since 08/25/2014 04:30:46

4. Since we will use dbzone1 to run Oracle Database12c in Exercise 2, let’s assign more processors to dbzone1.

In the terminal of global zone, change the pool configuration by assigning 3 processors to the zonepool1. root@hol9762:~# poolcfg -c 'modify pset zonepool1-pset (uint pset.min=3; uint pset.max=3)'

Instantiate the configuration. root@hol9762:~# pooladm -c

Print out the currently running pools configuration again. root@hol9762:~# pooladm

system default

string system.comment

int system.version 1

boolean system.bind-default true

string system.poold.objectives wt-load

pool zonepool1

int pool.sys_id 1


boolean pool.default false


string pool.comment

pset zonepool1-pset

pool pool_default

int pool.sys_id 0


boolean pool.default true


string pool.comment

pset pset_default

pset zonepool1-pset

int pset.sys_id 1

boolean pset.default false

uint pset.min 3

uint pset.max 3



string pset.reslist


uint pset.load 3

uint pset.size 3

string pset.comment

cpu

int cpu.sys_id 1

string cpu.comment


11

cpu

int cpu.sys_id 0

string cpu.comment


cpu

int cpu.sys_id 2

string cpu.comment


pset pset_default

int pset.sys_id -1

boolean pset.default true

uint pset.min 1

uint pset.max 65536



string pset.reslist


uint pset.load 64

uint pset.size 1

string pset.comment

cpu

int cpu.sys_id 3

string cpu.comment


Two processors are added to the dbzone1, we can also check the CPU information in the non-global zones

In the terminal of dbzone1, verify that check there are 3 processors available. root@dbzone1:~# psrinfo

0 on-line since 08/25/2014 04:30:44

1 on-line since 08/25/2014 04:30:46

2 on-line since 08/25/2014 04:30:46

In the terminal of dbzone2, you can see that only one processor left. root@dbzone2:~# psrinfo

3 on-line since 08/25/2014 04:30:46

Step 5: Assign memory to non-global zones

In Solairs 11.2, rcapd daemon is used for memory caps and its administration. You can control resident

set size (RSS) usage of a zone by setting the capped-memory resource when you configure the zone.

1. In the terminal of global zone, type the command below to show the zone configuration of dbzone1 for the

memory caps. root@hol9762:~# zonecfg -z dbzone1 info

…

capped-memory:

physical: 2G

2. In the terminal of dbzone1, check the physical memory assigned to the zone root@dbzone1:~# prtconf |grep Memory

prtconf: devinfo facility not available

Memory size: 2048 Megabytes

12

3.Use zonecfg to change the zone configuration needs a reboot of the zone. However, we can use another

command to change the memory cap dynamically without rebooting the zone.

In the terminal of the global zone, type the following command. root@hol9762:~# rcapadm -z dbzone1 -m 4G

In the terminal for dbzone1, check the physical memory assigned the dbzone1 again. root@dbzone1:~# prtconf |grep Mem

prtconf: devinfo facility not available

Memory size: 4096 Megabytes

Step 6: Start the preinstalled databases, and check the process isolation

1. Start the Oracle Database 12c installed in dbzone1.

Switch to the user of oracle before starting up the Oracle Database 12c in the terminal of dbzone1. root@dbzone1:~# su - oracle

Password:

Oracle Corporation SunOS 5.11 11.2 April 2014

oracle@dbzone1:~$

Check the environment setting for the database. oracle@dbzone1:~$ env |grep ORACLE

ORACLE_SID=cdb1

ORACLE_BASE=/u01/app/oracle

ORACLE_HOME=/u01/app/oracle/12.1.0/dbhome_1

Start the listener. oracle@dbzone1:~$ lsnrctl start

LSNRCTL for Solaris: Version 12.1.0.2.0 - Production on 25-AUG-2014 15:17:32

Copyright (c) 1991, 2014, Oracle. All rights reserved.

Starting /u01/app/oracle/12.1.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Solaris: Version 12.1.0.2.0 - Production

System parameter file is /u01/app/oracle/12.1.0/dbhome_1/network/admin/listener.ora

Log messages written to /u01/app/oracle/diag/tnslsnr/dbzone1/listener/alert/log.xml

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone1)(PORT=1521)))

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for Solaris: Version 12.1.0.2.0 - Production

Start Date 25-AUG-2014 15:17:33

Uptime 0 days 0 hr. 0 min. 1 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/oracle/12.1.0/dbhome_1/network/admin/listener.ora

Listener Log File /u01/app/oracle/diag/tnslsnr/dbzone1/listener/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone1)(PORT=1521)))

The listener supports no services

The command completed successfully

Start up Oracle Database 12c. oracle@dbzone1:~$ sqlplus / as sysdba

13

SQL*Plus: Release 12.1.0.2.0 Production on Mon Aug 25 14:55:47 2014


Connected to an idle instance.

SQL> startup

ORACLE instance started.

Total System Global Area 536870912 bytes

Fixed Size 3005728 bytes

Variable Size 402653920 bytes

Database Buffers 125829120 bytes

Redo Buffers 5382144 bytes

Database mounted.

Database opened.

2. Start Oracle Database 11gr2 installed in dbzone2 in the terminal of dbzone2.

Switch to the user of oracle before starting Oracle Database 11gr2 installed in dbzone2. root@dbzone2:~# su - oracle


oracle@dbzone2:~$

Check the environment setting for the database. oracle@dbzone2:~$ env |grep ORACLE

ORACLE_SID=db11g

ORACLE_BASE=/u01/app/oracle

ORACLE_HOME=/u01/app/oracle/11.2/dbhome_1

Start the listener. oracle@dbzone2:~$ lsnrctl start

LSNRCTL for Solaris: Version 11.2.0.1.0 - Production on 25-AUG-2014 15:18:58


Starting /u01/app/oracle/11.2/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Solaris: Version 11.2.0.1.0 - Production

System parameter file is /u01/app/oracle/11.2/dbhome_1/network/admin/listener.ora

Log messages written to /u01/app/oracle/diag/tnslsnr/dbzone2/listener/alert/log.xml

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone2)(PORT=1521)))

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for Solaris: Version 11.2.0.1.0 - Production

Start Date 25-AUG-2014 15:19:00

Uptime 0 days 0 hr. 0 min. 1 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/oracle/11.2/dbhome_1/network/admin/listener.ora

Listener Log File /u01/app/oracle/diag/tnslsnr/dbzone2/listener/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone2)(PORT=1521)))

The listener supports no services

The command completed successfully

14

Start up Oracle Database 11gr2. oracle@dbzone2:~$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Mon Aug 25 14:56:09 2014



SQL> startup







Database mounted.

Database opened.

3. Check the database isolation

Solaris Zone virtualization prevents processes that are running in one zone from monitoring or affecting

processes running in other zones.

In order to check the running processes in dbzone1, exit sqlplus in the terminal of dbzone1. SQL> exit

In the terminal of dbzone1, check the running processes of Oracle Database 12c. oracle@dbzone1:~$ ps -ef |grep ora

oracle 5599 5598 0 14:55:33 pts/10 0:00 -bash

oracle 5650 1900 0 14:57:46 ? 0:01 ora_lg00_cdb1

oracle 5648 1900 0 14:57:46 ? 0:03 ora_ckpt_cdb1

oracle 6031 1900 0 15:13:49 ? 0:00 ora_w002_cdb1

oracle 5654 1900 0 14:57:47 ? 0:01 ora_smon_cdb1

oracle 5636 1900 0 14:57:44 ? 0:06 ora_dbrm_cdb1

oracle 5634 1900 0 14:57:44 ? 0:01 ora_diag_cdb1

oracle 5640 1900 0 14:57:45 ? 0:03 ora_dia0_cdb1

oracle 5642 1900 0 14:57:45 ? 0:02 ora_dbw0_cdb1

oracle 5644 1900 0 14:57:46 ? 0:01 ora_lgwr_cdb1

oracle 6070 1900 6 15:20:02 ? 0:07 ora_j000_cdb1

oracle 6073 5599 0 15:20:19 pts/10 0:00 ps -ef

oracle 5628 1900 0 14:57:43 ? 0:01 ora_gen0_cdb1

oracle 5624 1900 0 14:57:42 ? 0:03 ora_vktm_cdb1

oracle 5638 1900 0 14:57:45 ? 0:00 ora_vkrm_cdb1

oracle 5630 1900 0 14:57:43 ? 0:01 ora_mman_cdb1

oracle 5622 1900 0 14:57:41 ? 0:03 ora_psp0_cdb1

oracle 5620 1900 0 14:57:41 ? 0:01 ora_pmon_cdb1

oracle 5730 1900 0 14:58:33 ? 0:08 ora_cjq0_cdb1

oracle 5662 1900 0 14:57:48 ? 0:01 ora_lreg_cdb1

oracle 5656 1900 0 14:57:47 ? 0:01 ora_lg01_cdb1

oracle 5668 1900 0 14:57:48 ? 0:04 ora_mmnl_cdb1

oracle 5666 1900 0 14:57:48 ? 0:15 ora_mmon_cdb1

oracle 5664 1900 0 14:57:48 ? 0:01 ora_pxmn_cdb1

oracle 5660 1900 0 14:57:47 ? 0:01 ora_reco_cdb1

oracle 5670 1900 0 14:57:49 ? 0:00 ora_d000_cdb1

oracle 5672 1900 0 14:57:49 ? 0:00 ora_s000_cdb1

oracle 5684 1900 0 14:57:57 ? 0:00 ora_tmon_cdb1

oracle 5686 1900 0 14:57:58 ? 0:01 ora_tt00_cdb1

oracle 5688 1900 0 14:58:06 ? 0:01 ora_smco_cdb1

oracle 5690 1900 0 14:58:06 ? 0:01 ora_w000_cdb1

oracle 5692 1900 0 14:58:06 ? 0:01 ora_w001_cdb1

15

oracle 5694 1900 0 14:58:13 ? 0:00 ora_aqpc_cdb1

oracle 5698 1900 0 14:58:24 ? 0:00 ora_qm02_cdb1

…

In order to check the running processes in dbzone2, exit sqlplus in the terminal of dbzone2. SQL> exit

In the terminal of dbzone2, check the running processes running of Oracle Database 11gr2. oracle@dbzone2:~$ ps -ef |grep ora

oracle 6045 3696 0 15:16:15 ? 0:00 ora_w000_db11g

oracle 5987 5986 0 15:08:22 pts/11 0:00 -bash

oracle 6078 3696 4 15:21:40 ? 0:01 ora_j000_db11g

oracle 6080 3696 1 15:21:41 ? 0:00 ora_j001_db11g

oracle 6084 5987 0 15:21:45 pts/11 0:00 grep ora

oracle 5916 3696 0 15:01:10 ? 0:00 ora_qmnc_db11g

oracle 5808 3696 0 14:59:07 ? 0:01 ora_gen0_db11g

oracle 5790 3696 0 14:58:56 ? 0:02 ora_pmon_db11g

oracle 5859 3696 0 14:59:57 ? 0:00 ora_s000_db11g

oracle 6066 3696 0 15:18:59 ? 0:01 /u01/app/oracle/11.2/dbhome_1/bin/tnslsnr

LISTENER -inherit

oracle 5800 3696 0 14:59:03 ? 0:02 ora_vktm_db11g

oracle 6083 5987 1 15:21:45 pts/11 0:00 ps -ef

oracle 5827 3696 0 14:59:21 ? 0:01 ora_mman_db11g

oracle 5812 3696 0 14:59:08 ? 0:01 ora_diag_db11g

oracle 5816 3696 0 14:59:10 ? 0:01 ora_dbrm_db11g

oracle 5820 3696 0 14:59:14 ? 0:01 ora_psp0_db11g

oracle 5822 3696 0 14:59:19 ? 0:02 ora_dia0_db11g

oracle 5831 3696 0 14:59:25 ? 0:02 ora_dbw0_db11g

oracle 5936 3696 0 15:01:26 ? 0:02 ora_cjq0_db11g

oracle 5928 3696 0 15:01:20 ? 0:00 ora_q000_db11g

oracle 5932 3696 0 15:01:24 ? 0:00 ora_q001_db11g

oracle 5839 3696 0 14:59:33 ? 0:01 ora_lgwr_db11g

oracle 5843 3696 0 14:59:35 ? 0:02 ora_ckpt_db11g

oracle 5847 3696 0 14:59:44 ? 0:03 ora_smon_db11g

oracle 5849 3696 0 14:59:46 ? 0:00 ora_reco_db11g

oracle 5851 3696 0 14:59:46 ? 0:04 ora_mmon_db11g

oracle 5853 3696 0 14:59:46 ? 0:02 ora_mmnl_db11g

oracle 5855 3696 0 14:59:54 ? 0:00 ora_d000_db11g

root 5862 3696 0 14:59:57 ? 0:04 ora_dism_db11g

oracle 5971 3696 0 15:06:11 ? 0:00 ora_smco_db11g

Based on the output in dbzone1 and dbzone2, you can see that two different versions of databases are separately

running in different zones on the same machine.

Summary In this exercise, you have leveraged the power of Solaris Zones to set up a multitenant environment for Oracle

Database. By using Solaris Zones, you can easily deploy multiple database instances for tenants with low

overhead, and can easily isolate disk files, manage CPU resources, network bandwidth and memory allocation

for different users of the database servers.

16

Exercise 2: Exploring Oracle Database 12c

Multitenant (20 Minutes)

In this exercise, you will explore Oracle Database 12c multitenant architecture. Several pluggable databases

(PDBs) will be deployed in ZFS on isolated disks. Since data-file isolation is an important feature for a

multitenant database, you will also learn how to use ZFS encryption to encrypt a data-file, in order to prevent

attacks that attempt to bypass the database and read sensitive information from it.

What is Oracle Database 12c multitenant?

Designed for the cloud, Oracle Database 12c delivers a multitenant architecture that simplifies consolidation

and delivers the high density of schema based consolidation, but without requiring changes to existing

applications. It’s an option of Oracle Database 12c Enterprise Edition that offers all the benefits of managing

many databases as one, yet retains the isolation and resource control of separate databases. In this new

architecture, a single multitenant container database (CDB) can host many ‘pluggable’ databases (PDB). Each

database consolidated or ‘plugged in’ to a multitenant container looks and feels to applications the same as for

existing Oracle databases. Accessing pluggable databases is the same as for existing Oracle databases, and

administrators can control the prioritization of available resources among consolidated databases.

In this exercise, there will be three pluggable databases (pdb11,pdb12 and pdb13) plugged into a multitenant

container database cdb1, shown as Figure 3.

Figure 3. PDBs in a multitenant container CDB1

What is Solaris ZFS?

Oracle Solaris ZFS is a revolutionary file system that changes the way file systems are administered, with

features and benefits not found in any other file system available today. ZFS uses the concept of storage pools

to manage physical storage, eliminates the concept of volumes and the associated problems of partitions,

provisioning and stranded storage by enabling thousands of file systems to draw from a common storage pool,

using only as much space as it actually needs.

Multitenant Container Database

cdb1

Root

pdb11

12.1

pdb12

12.1

pdb13

12.1 PDBs

Root

CDB

17

ZFS is a combined file system and logical volume manager. The features of ZFS include protection against data

corruption, support for high storage capacities, efficient data compression, integration of the concepts of file

system and volume management, snapshots and copy-on-write clones, continuous integrity checking and

automatic repair and RAID-Z support.

Step 1: Start up Oracle Database 12c in dbzone1 (Please skip to Step 2 if the Oracle Database 12c has been started in Exercise 1)

1. Click the right mouse button on the desktop and choose Open Terminal to bring up a terminal window.

2. Try the following commands in the terminal of dbzone1. labuser@hol9762:~$ su -

Password:

root@hol9762:~# zlogin dbzone1

root@dbzone1:~# su - oracle

oracle@dbzone1:~$ lsnrctl start

oracle@dbzone1:~$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.1.0 Production on Wed Aug 20 18:55:40 2014



SQL>

3. Startup the database. SQL> startup







Database mounted.

Database opened.

SQL>

Step 2: Explore the CDB and the PDBs

1. In the terminal of dbzone1, type the command below in sqlplus. oracle@dbzone1:~$ sqlplus / as sysdba

…

SQL> SHOW CON_NAME;

CON_NAME

------------------------------

CDB$ROOT

SQL>

The result shows that you are now in the CDB root container.

2. Type the following command to show how many PDBs are available. SQL> SHOW PDBS;

CON_ID CON_NAME OPEN MODE RESTRICTED

---------- ------------------------------ ---------- ----------

2 PDB$SEED READ ONLY NO

http://en.wikipedia.org/wiki/File_system

http://en.wikipedia.org/wiki/Logical_volume_manager

http://en.wikipedia.org/wiki/Data_corruption

http://en.wikipedia.org/wiki/Data_corruption

http://en.wikipedia.org/wiki/Volume_(computing)

http://en.wikipedia.org/wiki/Snapshot_(computer_storage)

http://en.wikipedia.org/wiki/Copy-on-write

http://en.wikipedia.org/wiki/RAID-Z

18

3 PDB11 MOUNTED

SQL>

Note: The PDB$SEED is a template PDB, which can be used to create other PDBs. PDB11 is a pre-created

PDB.

3. If you want to use the PDB11, you need to open it. Run the following command to open the PDB11 and

show its status. SQL> ALTER PLUGGABLE DATABASE pdb11 OPEN;

Pluggable database altered.

SQL> SHOW PDBS;


---------- ------------------------------ ---------- ----------

2 PDB$SEED READ ONLY NO

3 PDB11 READ WRITE NO

Now PDB11 is ready for read and write operation.

Exit sqlplus SQL> exit;

4. In the terminal window, run the following command to log in to the PDB11.

oracle@dbzone1:~$ sqlplus sys/solaris11@localhost:1521/pdb11 as sysdba

5. Type the following command to check current container and status. SQL> SHOW CON_NAME;

CON_NAME

------------------------------

PDB11

SQL> SHOW PDBS;


---------- ------------------------------ ---------- ----------

3 PDB11 READ WRITE NO

SQL> SELECT name FROM v$datafile;

NAME

--------------------------------------------------------------------------------

/u01/app/oracle/oradata/cdb1/undotbs01.dbf

/u01/app/oracle/oradata/cdb1/pdb11/system01.dbf

/u01/app/oracle/oradata/cdb1/pdb11/sysaux01.dbf

/u01/app/oracle/oradata/cdb1/pdb11/pdb11_users01.dbf

Exit sqlplus. SQL> exit;

Step 3: Create a new PDB with a dedicated disk 1. In the terminal of dbzone1, type the following commands to find extra disks in this zone.

oracle@dbzone1:~$ zpool status

pool: dbpool1

state: ONLINE

scan: none requested

config:

NAME STATE READ WRITE CKSUM

dbpool1 ONLINE 0 0 0

c2t2d0 ONLINE 0 0 0

19

errors: No known data errors

pool: dbpool2

state: ONLINE


config:


dbpool2 ONLINE 0 0 0

c2t3d0 ONLINE 0 0 0


pool: rpool

state: ONLINE


config:


rpool ONLINE 0 0 0

c2t0d0 ONLINE 0 0 0


As you can see that there are 2 extra disks, c2t2d0 (mounted as dbpool1) and c2t3d0 (mounted as dbpool2).

2. Connect to the database as SYSDBA oracle@dbzone1:~$ sqlplus / as sysdba

3. To create and open a new PDB, named PDB12, in a dedicated disk named dbpool1, type the following

commands. SQL> CREATE PLUGGABLE DATABASE pdb12 ADMIN USER PDB_ADMIN IDENTIFIED BY solaris11

FILE_NAME_CONVERT =('/u01/app/oracle/oradata/cdb1/pdbseed','/dbpool1');

Pluggable database created.

SQL> ALTER PLUGGABLE DATABASE pdb12 OPEN;


4. Create the tablespaces, users, and grant privileges for PDB12. Execute the following commands one by one. SQL> ALTER SESSION SET CONTAINER=pdb12;

Session altered.

SQL> CREATE TABLESPACE users DATAFILE '/dbpool1/users.dbf' SIZE 20M AUTOEXTEND ON NEXT 1M SEGMENT

SPACE MANAGEMENT AUTO;

5. Create a table and insert some records. SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER,

credit_card CHAR(16)) TABLESPACE users;

SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');

SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');

SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');

SQL> SELECT * FROM employee;

SQL> COMMIT;

SQL> ALTER PLUGGABLE DATABASE pdb12 CLOSE;

Step 4: Create a new PDB in an encrypted file system In Oracle Database 12c, PDBs can provide data isolation by using separated disks and storage to store their own

data. However, there are risks when the disks are stolen or maliciously accessed. If some unauthorized people

get the disks, they will be able to get the sensitive data directly from the OS level, such as files and disk devices

20

instead of database level. Some disk scan tools (such as dd) can be used to scan the whole disk to find out the

sensitive information.

Therefore, the data-at-rest protection must be presented in order to prevent sensitive data disclosure.

1. In the terminal, exit sqlplus if needed. Then type the following command to scan the tablespace file. SQL> exit;

…

oracle@dbzone1:~$ dd if=/dbpool1/users.dbf | strings

You will be able to get the results like the following. …

chris

5201237476346909,

wang

4380558852114471,

gary

wang

6201345768476366

…

This means unauthorized users can directly get the sensitive data from the tablespace files.

Or you can switch to the terminal of the global zone (with root@hol9762). Type the following command to

scan the disk for sensitive information. (Note: It may take several minutes to get the results.) root@hol9762:~# dd if=/dev/dsk/c2t2d0 | strings | grep 52012374

5201237476346909,

4194304+0 records in

4194304+0 records out

2. ZFS encryption can be used to solve this problem. Switch to the terminal of dbzone1, create an encrypted file

system by using command below. oracle@dbzone1:/$ sudo zfs create -o encryption=on dbpool2/protected

Enter passphrase for 'dbpool2/protected':

Enter again:

oracle@dbzone1:/$ sudo chown oracle:dba /dbpool2/protected

3. Connect to the database as SYSDBA. oracle@dbzone1:~$ sqlplus / as sysdba

4. To create and open a new PDB, named PDB13, in this encrypted filesystem, type the following commands: SQL> CREATE PLUGGABLE DATABASE pdb13 ADMIN USER PDB_ADMIN IDENTIFIED BY solaris11

FILE_NAME_CONVERT = ('/u01/app/oracle/oradata/cdb1/pdbseed','/dbpool2/protected');

Pluggable database created.



Repeat the actions in Step 3 to create tablespace, users and tables.

5. Create the tablespaces, users, and grant privileges for pdb13. Execute following commands one by one. SQL> ALTER SESSION SET CONTAINER=pdb13;

Session altered.

SQL> CREATE TABLESPACE users DATAFILE '/dbpool2/protected/users.dbf' SIZE 20M AUTOEXTEND ON NEXT

1M SEGMENT SPACE MANAGEMENT AUTO;

6. Create a table and insert some records: SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER,

credit_card CHAR(16)) TABLESPACE users;

21

SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');




SQL> COMMIT;


7. Switch to the terminal of the global zone (with prompt root@hol9762). Type the following command to scan

the disk for sensitive information. (Note: It may take several minutes to finish, you can continue to do the

following lab while waiting for the result.) root@hol9762:~# dd if=/dev/dsk/c2t3d0 | strings | grep 52012374

You won’t succeed because the disk (c2t3d0)’s been encrypted.

Summary

In this exercise, you have created some pluggable databases (PDB) in Oracle Database 12c. Each of the PDBs is

attached to a dedicated disk in order to isolate tablespace files. You have also learned about how to use ZFS

encryption to protect the sensitive information in a PDB.

22

Exercise 3: Using Oracle Transparent Data

Encryption with Solaris Cryptographic Framework

(20 Minutes)

In this exercise, you will explore Oracle Advanced Security Transparent Data Encryption (TDE) and learn how

to transparently encrypt sensitive data stored in the tablespace shown in Figure 4. In the mean time, you will see

how the Oracle Database integrates with Solaris Cryptographic Framework to manage the hardware based

keystore (HSM, i.e. Hardware Security Module) on Solaris11.

Figure 4. Oracle Advanced Security Transparent Data Encryption

What is Oracle Advanced Security Transparent Data Encryption?

Oracle Advanced Security Transparent Data Encryption (TDE) stops would-be attackers from bypassing the

database and reading sensitive information from storage by enforcing data-at-rest encryption in the database

layer. Applications and users authenticated to the database continue to have access to application data

transparently (no application code or configuration changes are required), while attacks from OS users

attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information

from acquired disks or backups are denied access to the clear text data.

Out of the box, TDE provides industry standard strong encryption for the database, full key lifecycle

management, and integrated support for Oracle Database tools and technologies. TDE enables encryption of

database columns or entire application tablespaces.

Transparent Data Encryption fully supports Oracle Multitenant.

23

What is Solaris Cryptographic Framework?

The Solaris Cryptographic Framework provides cryptographic services to users and applications through

commands, a user-level programming interface, a kernel programming interface, and user-level and kernel-level

frameworks. The Solaris Cryptographic Framework provides these cryptographic services to applications and

kernel modules in a manner seamless to the end user, and brings direct cryptographic services to the end user.

The Oracle Solaris Cryptographic Framework provides a common store of algorithms and PKCS #11 libraries

to handle cryptographic requirements.

What is a token?

A token is a PKCS#11 concept, which is representing the logical view of a cryptographic device. Sometimes a

“token” is a “keystore”. For example, a “Oracle Crypto Accelerator 4000 board ” card in a PCI slot is a token

(hardware token). Solaris PKCS#11 Softtoken is another example of token.

What is a slot?

A slot is a PKCS#11 concept, which is representing a logical reader that potentially contains a token. For

example, Hardware slot is a slot which is bound to and dedicated to a hardware device; Softtoken slot is a software

cryptographic provider with an on-disk keystore.

What is a Metaslot? The Metaslot is a new additional slot to the Solaris Cryptographic Framework. It provides the virtual union of capabilities

of all other slots in the framework. Instead of having to deal with many slots, an application can simply choose the

Metaslot, which have access to features of all slots currently plugged into the Solaris Cryptographic Framework. It also

does the tedious work of managing sessions and objects on different slots so an application can use the best slot for a

particular mechanism without having to move objects and sessions back and forth. The Metaslot behavior conforms to the

PKCS#11 Standard. Applications should treat it as if it were any PKCS#11 slot with normal PKCS#11 semantics.

Step 1: Master key management using Solaris PKCS#11 Softtoken

1. Click the right mouse button on the desktop and choose Open Terminal to bring up a terminal window.

2. Log into the dbzone1 if needed. labuser@hol9762:~$ su –

Password:

root@hol9762:~# zlogin dbzone1

3. Configure metaslot to use Sun Software PCKS#11 Softtoken by default root@dbzone1:~# cryptoadm enable metaslot token="Sun Software PKCS#11 Softtoken"

4. Copy Solaris libpkcs11.so to the PKCS#11 library directory which is needed by Oracle Database 12c. root@dbzone1:~# mkdir -p /opt/oracle/extapi/64/hsm/sun/1.0.0/lib

root@dbzone1:~# cp /usr/lib/64/libpkcs11.so /opt/oracle/extapi/64/hsm/sun/1.0.0/lib

root@dbzone1:~# chown -R oracle:dba /opt/oracle

Step 2: Open the HSM based keystore and create an encryption key

1. Change to the oracle user

24

root@dbzone1:/# su - oracle


oracle@dbzone1:~$

2. Set the PIN for the Sun Software PCKS#11 Softtoken keystore. (The initial passphrase of the keystore is :

“changeme”) oracle@dbzone1:~$ pktool setpin keystore=pkcs11

Enter token passphrase:changeme

Create new passphrase: solaris11

Re-enter new passphrase:solaris11

Passphrase changed.

3. In order to configure TDE to use Solaris PKCS#11 Softtoken, you need to make an HSM to be used as an

Oracle Wallet.

Use vi to edit $ORACLE_HOME/network/admin/sqlnet.ora. oracle@dbzone1:~$ vi $ORACLE_HOME/network/admin/sqlnet.ora

Add the following line to this file. ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=HSM))

4. Startup the database if needed. You must open the hardware keystore so that it is accessible to the database

before you can perform any encryption or decryption.

Open the hardware keystore and create a TDE encryption master key for the root container. oracle@dbzone1:~$ sqlplus / as sysdba

SQL> startup

…

SQL> SHOW CON_NAME;

CON_NAME

------------------------------

CDB$ROOT

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "solaris11";

keystore altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "solaris11";

keystore altered.

5. Switch the container of the current session to pdb11. Open pdb11 if needed. Open the hardware keystore and

create a TDE encryption master key for pdb11. SQL> ALTER SESSION SET CONTAINER=pdb11;

Session altered.



SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "solaris11";

keystore altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "solaris11";

keystore altered.

6. Check the hardware keystore status. SQL> SELECT WRL_TYPE, status FROM v$encryption_wallet;

WRL_TYPE STATUS

-------------------- ------------------------------

25

HSM OPEN

Step 3: TDE tablespace encryption 1. Create an encrypted tablespace in pdb11.

SQL> CREATE TABLESPACE HsmSecuredTableSpace DATAFILE

'/u01/app/oracle/oradata/cdb1/pdb11/usershol.dbf' SIZE 20M ENCRYPTION DEFAULT STORAGE(ENCRYPT);

2. Create a table in the encrypted tablespace, which automatically encrypts all data objects in it. SQL> CREATE TABLE employee(first_name VARCHAR2(32),last_name VARCHAR2(32),empID

NUMBER,credit_card CHAR(16)) TABLESPACE HsmSecuredTableSpace;

3. Insert some data into the table. SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');




SQL> COMMIT;


SQL> exit;

4. Use pktool to check the encryption keys created in the database. oracle@dbzone1:~$ pktool list objtype=both;

Enter PIN for Sun Software PKCS#11 softtoken:

No. Key Type Key Len. Key Label

----------------------------------------------------

Symmetric keys:

1) AES ORACLE.TDE.HSM.MK.068FF2B9DF184B4FBCBF68185CB2A45687 (sensitive)

2) AES ORACLE.TDE.HSM.MK.06517EBB85AF554F9ABFB20C8F358F5FD0 (sensitive)

5. Use dd to scan the database file. You won’t be able to get any sensitive information. oracle@dbzone1:~$dd if=/u01/app/oracle/oradata/cdb1/pdb11/usershol.dbf | strings

Note: You can also create more TDE master encryption keys for the future use of other PDBs. Please refer to

Oracle Database Advanced Security Guide for the detailed information.

Why choose Oracle HSM to integrate with Solaris PKCS#11?

Oracle Database 12c supports the use of PKCS#11 based HSM keystore as Oracle Wallet. Using Solaris

PKCS#11 softtoken based Oracle Wallet secures the master key from duplication and copying during database

and filesystem backups. If being deployed on physical machines (such as Oracle SPARC T5 servers) with

hardware cryptographic accelerator, Solaris PKCS#11 can seamlessly integrate the hardware accelerator to

make database encryption much faster.

Summary

In this exercise, you have integrated Solaris Cryptographic Framework with Oracle Wallet to manage the

hardware based keystore (HSM) on Oracle Database 12c. Also, you’ve tried the features of Oracle database

Transparent Data Encryption, learned about how to encrypt sensitive data with TDE Transparent Tablespace.

26

Summary

You have successfully completed the " Oracle Database 12c Data Protection and Multitenancy on Oracle

Solaris 11" hands-on lab! You have explored different isolation and encryption approaches for securing

multitenancy when using Oracle Database 12c on Oracle Solaris 11: Oracle Solaris Zones, Oracle Database 12c

pluggable databases(PDB), Oracle Advanced Security Transparent Data Encryption (TDE) and Oracle Solaris

ZFS encryption. You have also learned about how TDE works with Solaris Cryptographic Framework.

See Also

High Performance Security For Oracle Database and Fusion Middleware Applications using SPARC

T4

Managing ZFS File Systems in Oracle® Solaris 11.2

Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource

Management

Oracle Solaris Administration: Network Interfaces and Network Virtualization

Oracle Database Advanced Security Guide

About the Authors

Ramesh Nagappan is a Senior Principal Engineer at Oracle Corporation, (Previously at Sun Microsystems). He

works on security integration for SuperCluster platform and focused on Cloud security, Network and

Application security and Applied Cryptography for Applications, XML Web Services and Identity Management

technologies.

Yu Wang presently works for Oracle’s ISV Engineering group as a Principal Software Engineer. His duties

include supporting local ISVs and evangelizing about Oracle Solaris and Java technologies.

Xiaosong (Chris) Zhu is a Senior Software Engineer working for Oracle’s ISV Engineering group. She is

concentrated on Solaris and C/C++. Her duties include doing Solaris evangelizing and supporting local ISVs to

run C/C++ applications best on Oracle Solaris and SPARC servers.

Gang (Gary) Wang, manager of Oracle’s ISV Engineering group, leads ISV Engineering team in Beijing

helping ISVs in China, Japan, and Korea to make their applications run best on Oracle Solaris, Oracle servers,

and Oracle storage.

http://www.oracle.com/technetwork/server-storage/sun-sparc-enterprise/documentation/o12-021-t4security-1577047.pdf

http://www.oracle.com/technetwork/server-storage/sun-sparc-enterprise/documentation/o12-021-t4security-1577047.pdf

http://docs.oracle.com/cd/E36784_01/html/E36835/index.html

http://docs.oracle.com/cd/E23824_01/html/821-1460/toc.html



http://docs.oracle.com/database/121/ASOAG/toc.htm

yu wang principal software engineer, oracle -...

Documents