yu wang principal software engineer, oracle -...
TRANSCRIPT
HOL9762: Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Ramesh Nagappan Senior Principal Software Engineer, Oracle
Yu Wang Principal Software Engineer, Oracle
Xiaosong Zhu Senior Software Engineer, Oracle
Gang Wang Software Development Manager, Oracle
2
Table of Contents
Introduction ............................................................................................................................................................. 2 Prerequisites ............................................................................................................................................................ 2 Hardware/Software Requirements .......................................................................................................................... 2 Environment Configuration .................................................................................................................................... 2 Notes for Users ....................................................................................................................................................... 3 Exercise 1: Using Solaris Zones to Set up a Multitenant Database Environment (20 Minutes) ............................ 4 Exercise 2: Exploring Oracle Database 12c Multitenant (20 Minutes) ................................................................ 16 Exercise 3: Using Oracle Transparent Data Encryption with Solaris Cryptographic Framework (20 Minutes) . 22 Summary ............................................................................................................................................................... 26 See Also ................................................................................................................................................................ 26 About the Authors ................................................................................................................................................. 26
Introduction
Database multitenancy helps customers reduce IT costs by simplifying consolidation, provisioning, upgrades,
and more. However, it brings concerns about data security because the computing and storage resources are
shared to different users.
In this lab, you will explore different isolation and encryption approaches for securing multitenancy of Oracle
Database on Oracle Solaris 11: Solaris Zones, Oracle Solaris ZFS encryption, Oracle Database 12c pluggable
databases(PDB) and Oracle Advanced Security Transparent Data Encryption (TDE). Meanwhile, you also learn
about how TDE works with Solaris Cryptographic Framework.
Prerequisites
This hands-on lab assumes you have some basic knowledge about the following technologies.
Administration of Oracle Solaris or a similar UNIX or Linux OS
Oracle Database administration
SQL programming
Hardware/Software Requirements
Memory requirement: 8 GB
Disk space requirement: 50 GB
Oracle VM Virtualbox 4.3.14 (host OS: Windows 7/8, Oracle Enterprise Linux)
Operating System: Solaris 11.2
Oracle Database 12c Enterprise Edition
Oracle Database 11gr2 Enterprise Edition
Environment Configuration
3
Solaris 11.2 for x86 installed in Oracle VM Virtualbox 4.3.14
Pre-configured non-global zones:
o dbzone1: Oracle Database 12c Enterprise Edition pre-installed
o dbzone2: Oracle Database 11gr2 Enterprise Edition pre-installed
OS user name/password:
o labuser/solaris11
o root/solaris11
o oracle/solaris11
Database user name/password:
o SYS/solaris11
Notes for Users
The lab prefers the GNOME desktop environment over Oracle Solaris 11 (with desktop packages installed).
In order to open a terminal window in GNOME, right-click any point on the background of the desktop, and
select Open Terminal in the pop-up menu (as shown in Figure 1).
Figure 1. Open a terminal in Solaris 11
4
Exercise 1: Using Solaris Zones to Set up a
Multitenant Database Environment (20 Minutes)
In this exercise, you will use the Solaris Zones to set up a multitenant environment for different versions of
Oracle Databases.
What is multitenancy?
As one of essential characteristics of cloud computing, multitenancy is an architectural and operational
approach enabling IT providers to share infrastructure resources, deliver database or software functionality as a
service to one or more consumers (tenants). The resource control and data isolation are critical for this
multitenant architecture which can be implemented differently for different service models (IaaS, PaaS and
SaaS).
Nowadays, many providers are using KVM, Xen or other hypervisor based virtualization technologies to deploy
databases for multitenant usage. However, a hypervisor based virtualization usually has high overhead which
may limit the number of VMs that a physical machine can create. Therefore, we recommend you to use a
Solaris Zone which is an OS based light container with very small footprint. It can be used to not only deploy
multiple high performance database services, but also isolate the data effectively.
What is a Solaris Zone? A Solaris Zone is an implementation of operating system-level virtualization technology for x86 and SPARC
systems. A Solaris zone is the combination of system resource controls and the boundary separation. Zones act
as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets
of application services onto one system and by placing each into isolated virtual server containers, system
administrators can reduce cost and provide most of the same protections of separate machines on a single
machine.
Step 1: Start the preinstalled non-global zones
1. After logging in to Solaris 11 by using the username/password: labuser/solaris11, click the right mouse
button on the desktop and choose Open Terminal to bring up a terminal window (as shown in Figure 1).
In the opened terminal, switch to root/solaris11 in order to do zone administration. labuser@hol9762:~$ su -
Password:
Oracle Corporation SunOS 5.11 11.2 June 2014
You have new mail.
root@hol9762:~#
2. Check the pre-installed zones in the system.
root@hol9762:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
- dbzone1 installed /dbzone1 solaris excl
- dbzone2 installed /dbzone2 solaris excl
5
From the output, you can see that there are two non-global zones, dbzone1 and dbzone2 pre-installed in Solaris
11. Oracle Database 12c and Oracle Database 11gr2 have been separately installed in these two zones. The
detailed configuration of two non-global zones is shown in Figure 2.
Figure 2. Multitenant database environment based on Solaris zones
3. Start the non-global zones: dbzone1 and dbzone2. root@hol9762:~# zoneadm -z dbzone1 boot
root@hol9762:~# zoneadm -z dbzone2 boot
Check to make sure that both of the zones are running now. root@hol9762:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
1 dbzone1 running /dbzone1 solaris excl
2 dbzone2 running /dbzone2 solaris excl
Step 2: Check the disk isolation
1. Find the disks available in the system by using the command of format. Please note that the first disk c1d0 is
working as the root zfs pool of the global zone. root@hol9762:~# format < /dev/null
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c1d0 <VBOX HAR-59bffd1e-fb51c8a-0001-31.25GB>
/pci@0,0/pci-ide@1,1/ide@0/cmdk@0,0
1. c2t0d0 <VBOX-HARDDISK-1.0-16.00GB>
/pci@0,0/pci1000,8000@16/sd@0,0
2. c2t1d0 <VBOX-HARDDISK-1.0-16.00GB>
/pci@0,0/pci1000,8000@16/sd@1,0
3. c2t2d0 <VBOX-HARDDISK-1.0-2.00GB>
/pci@0,0/pci1000,8000@16/sd@2,0
4. c2t3d0 <VBOX-HARDDISK-1.0-2.00GB>
/pci@0,0/pci1000,8000@16/sd@3,0
Specify disk (enter its number):
2. Type zonecfg to show the zone configuration of zones.
Global Zone
Oracle Solaris 11.2
dbzone1
Oracle DB
12c
vn
ic1
C2
t0d
0
C2
t2d
0
C2
t3d
0
dbzone2
Oracle DB
11g R2
Vn
ic2
C2
t1d
0
CPU
Mem
CPU CPU CPU
Mem
6
List the disks assigned to the zone dbzone1. root@hol9762:~# zonecfg -z dbzone1 info
zonename: dbzone1
…
rootzpool:
storage: dev:/dev/dsk/c2t0d0
zpool:
name: dbpool1
storage: dev:/dev/dsk/c2t2d0
zpool:
name: dbpool2
storage: dev:/dev/dsk/c2t3d0
There are three disks dedicated to the dbzone1, c2t0d0 is used as root zfs pool, while c2t2d0 and c2t3d0 will be
used to store database data in the following lab.
For the zone dbzone2, there’s only one disk c2t1d0 dedicated to the zone as the root zfs pool root@hol9762:~# zonecfg -z dbzone2 info
zonename: dbzone2
…
rootzpool:
storage: dev:/dev/dsk/c2t1d0
Note: While configuring Solaris zones, you can decide whether or not use isolated storage according to the data
security requirements.
Step 3: Check the network isolation
1. Check the network pre-setup in the global zone.
Type the following command, you will find that there’s only one physical link available in the system. The
static ip of global zone is 192.168.56.200. root@hol9762:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net0 Ethernet up 1000 full e1000g0
root@hol9762:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4 static ok 192.168.56.200/24
Oracle Solaris 11 network virtualization features can be applied to a zone by creating a virtual NIC (VNIC) for
the zone and applying bandwidth limits to the zone's assigned VNIC.
The vnic1 and vnic2 are pre-created in the global zones and assigned to different zones while dbzone1/vnic1 and
dbzone2/vnic2 are created when the zones boot and will be deleted when the zones halt. root@hol9762:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VIDS
vnic1 net0 100 2:8:20:61:8c:fc random 0
dbzone1/vnic1 net0 100 2:8:20:61:8c:fc random 0
vnic2 net0 100 2:8:20:cf:2:1b random 0
dbzone2/vnic2 net0 100 2:8:20:cf:2:1b random 0
Solaris integrated QoS enabled bandwidth control on data links to share network bandwidth among your
applications while preventing misbehaving applications from taking all the network bandwidth. In the column
of SPEED, you can see that the max bandwidth of vnic1 and vnic2 are limited to 100M, but 1000M for the
physical link net0.
7
You need to assign more bandwidth for dbzone1 because dbzone1 may have more network traffic. Use the
following command to increase the max bandwidth of vnic1 from 100M to 500M. root@hol9762:~# dladm set-linkprop -p maxbw=500m vnic1
Check the changed bandwidth. root@hol9762:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VIDS
vnic1 net0 500 2:8:20:61:8c:fc random 0
dbzone1/vnic1 net0 500 2:8:20:61:8c:fc random 0
vnic2 net0 100 2:8:20:cf:2:1b random 0
dbzone2/vnic2 net0 100 2:8:20:cf:2:1b random 0
2. Check the network configuration of the zones.
Exclusive-IP zones enable you to assign a separate IP stack per zone. Each zone has the flexibility to configure
IP within that stack completely separate to other zones. Type the following command to show the configuration
of dbzone1. root@hol9762:~# zonecfg -z dbzone1 info
zonename: dbzone1
…
ip-type: exclusive
…
net:
address not specified
allowed-address not specified
configure-allowed-address: true
physical: vnic1
defrouter not specified
You will see the network configuration about dbzone1.
Type the following command to check the information about dbzone2. root@hol9762:~# zonecfg -z dbzone2 info
zonename: dbzone2
…
ip-type: exclusive
…
net:
address not specified
allowed-address not specified
configure-allowed-address: true
physical: vnic2
defrouter not specified
3. Monitor the network utilization.
Type zonestat in global zone to monitor the network utilization of the currently running zones. root@hol9762:~# zonestat -r network 2
Collecting data for first interval...
Interval: 1, Duration: 0:00:02
NETWORK-DEVICE SPEED STATE TYPE
net0 1000mbps up phys
ZONE TOBYTE MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
[total] 336 - - 120 0.00% 132 0.00%
global 252 - - 120 0.00% 132 0.00%
dbzone1 42 500M 0.00% 0 0.00% 0 0.00%
dbzone2 42 100M 0.00% 0 0.00% 0 0.00%
Interval: 2, Duration: 0:00:04
NETWORK-DEVICE SPEED STATE TYPE
8
net0 1000mbps up phys
ZONE TOBYTE MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
[total] 550 - - 120 0.00% 430 0.00%
global 550 - - 120 0.00% 430 0.00%
dbzone1 0 500M 0.00% 0 0.00% 0 0.00%
dbzone2 0 100M 0.00% 0 0.00% 0 0.00%
Type Ctrl+c to stop.
Note: zonestat can also be used in non-global zones to monitor the resource utilization of themselves.
Step 4: Assign CPUs to non-global zones
Zones induce a very low overhead on CPU and memory. Most types of zones share the global zone's virtual
address space. A zone can be assigned with a resource pool (processor set plus scheduling class) to guarantee
certain usage, or it can be capped at a fixed compute capacity ("dedicated CPU" or "capped CPU") or can be
given shares via fair-share scheduling.
In this lab, a resource pool’s been assigned to the zone dbzone1. Thus you can dynamically configure CPU
resources to the zone without rebooting it.
1. List the resource pool assigned to the zones. This shows that zonepool1 is bind with dbzone1. root@hol9762:~# zonecfg -z dbzone1 info
zonename: dbzone1
…
pool: zonepool1
2. Use pooladm to print out the currently running pools configuration. root@hol9762:~# pooladm
system default
string system.comment
int system.version 1
boolean system.bind-default true
string system.poold.objectives wt-load
pool zonepool1
int pool.sys_id 1
boolean pool.active true
boolean pool.default false
int pool.importance 1
string pool.comment
pset zonepool1-pset
pool pool_default
int pool.sys_id 0
boolean pool.active true
boolean pool.default true
int pool.importance 1
string pool.comment
pset pset_default
pset zonepool1-pset
int pset.sys_id 1
boolean pset.default false
uint pset.min 1
uint pset.max 1
string pset.policy minmax
string pset.restype cpu
string pset.reslist
string pset.units population
uint pset.load 0
uint pset.size 1
string pset.comment
9
cpu
int cpu.sys_id 0
string cpu.comment
string cpu.status on-line
pset pset_default
int pset.sys_id -1
boolean pset.default true
uint pset.min 1
uint pset.max 65536
string pset.policy minmax
string pset.restype cpu
string pset.reslist
string pset.units population
uint pset.load 30
uint pset.size 3
string pset.comment
cpu
int cpu.sys_id 1
string cpu.comment
string cpu.status on-line
cpu
int cpu.sys_id 3
string cpu.comment
string cpu.status on-line
cpu
int cpu.sys_id 2
string cpu.comment
string cpu.status on-line
As you can see the processor set, zonepool1-pset is created with 1 processor which is associated with the pool
zonepool1. And zonepool1 is bind with dbzone1.
3. Check the processors available in non-global zones.
Open a new terminal, and switch to root before trying to log in to dbzone1. labuser@hol9762:~$ su -
Password:
Oracle Corporation SunOS 5.11 11.2 June 2014
You have new mail.
root@hol9762:~#
Log in to the dbzone1. root@hol9762:~# zlogin dbzone1
In the terminal for dbzone1, check the CPUs assigned to it. root@dbzone1:~# psrinfo
0 on-line since 08/25/2014 04:30:44
As you can see, there’s one processor dedicated to dbzone1.
Open a new terminal, and switch to root before trying to log in to dbzone2. labuser@hol9762:~$ su -
Password:
Oracle Corporation SunOS 5.11 11.2 June 2014
You have new mail.
root@hol9762:~#
10
Log in to dbzone2. root@hol9762:~# zlogin dbzone2
Check the CPUs assigned to the zone dbzone2 by typing the command below. Three processors are working for
dbzone2 now. root@dbzone2:~# psrinfo
1 on-line since 08/25/2014 04:30:46
2 on-line since 08/25/2014 04:30:46
3 on-line since 08/25/2014 04:30:46
4. Since we will use dbzone1 to run Oracle Database12c in Exercise 2, let’s assign more processors to dbzone1.
In the terminal of global zone, change the pool configuration by assigning 3 processors to the zonepool1. root@hol9762:~# poolcfg -c 'modify pset zonepool1-pset (uint pset.min=3; uint pset.max=3)'
Instantiate the configuration. root@hol9762:~# pooladm -c
Print out the currently running pools configuration again. root@hol9762:~# pooladm
system default
string system.comment
int system.version 1
boolean system.bind-default true
string system.poold.objectives wt-load
pool zonepool1
int pool.sys_id 1
boolean pool.active true
boolean pool.default false
int pool.importance 1
string pool.comment
pset zonepool1-pset
pool pool_default
int pool.sys_id 0
boolean pool.active true
boolean pool.default true
int pool.importance 1
string pool.comment
pset pset_default
pset zonepool1-pset
int pset.sys_id 1
boolean pset.default false
uint pset.min 3
uint pset.max 3
string pset.policy minmax
string pset.restype cpu
string pset.reslist
string pset.units population
uint pset.load 3
uint pset.size 3
string pset.comment
cpu
int cpu.sys_id 1
string cpu.comment
string cpu.status on-line
11
cpu
int cpu.sys_id 0
string cpu.comment
string cpu.status on-line
cpu
int cpu.sys_id 2
string cpu.comment
string cpu.status on-line
pset pset_default
int pset.sys_id -1
boolean pset.default true
uint pset.min 1
uint pset.max 65536
string pset.policy minmax
string pset.restype cpu
string pset.reslist
string pset.units population
uint pset.load 64
uint pset.size 1
string pset.comment
cpu
int cpu.sys_id 3
string cpu.comment
string cpu.status on-line
Two processors are added to the dbzone1, we can also check the CPU information in the non-global zones
In the terminal of dbzone1, verify that check there are 3 processors available. root@dbzone1:~# psrinfo
0 on-line since 08/25/2014 04:30:44
1 on-line since 08/25/2014 04:30:46
2 on-line since 08/25/2014 04:30:46
In the terminal of dbzone2, you can see that only one processor left. root@dbzone2:~# psrinfo
3 on-line since 08/25/2014 04:30:46
Step 5: Assign memory to non-global zones
In Solairs 11.2, rcapd daemon is used for memory caps and its administration. You can control resident
set size (RSS) usage of a zone by setting the capped-memory resource when you configure the zone.
1. In the terminal of global zone, type the command below to show the zone configuration of dbzone1 for the
memory caps. root@hol9762:~# zonecfg -z dbzone1 info
…
capped-memory:
physical: 2G
2. In the terminal of dbzone1, check the physical memory assigned to the zone root@dbzone1:~# prtconf |grep Memory
prtconf: devinfo facility not available
Memory size: 2048 Megabytes
12
3.Use zonecfg to change the zone configuration needs a reboot of the zone. However, we can use another
command to change the memory cap dynamically without rebooting the zone.
In the terminal of the global zone, type the following command. root@hol9762:~# rcapadm -z dbzone1 -m 4G
In the terminal for dbzone1, check the physical memory assigned the dbzone1 again. root@dbzone1:~# prtconf |grep Mem
prtconf: devinfo facility not available
Memory size: 4096 Megabytes
Step 6: Start the preinstalled databases, and check the process isolation
1. Start the Oracle Database 12c installed in dbzone1.
Switch to the user of oracle before starting up the Oracle Database 12c in the terminal of dbzone1. root@dbzone1:~# su - oracle
Password:
Oracle Corporation SunOS 5.11 11.2 April 2014
oracle@dbzone1:~$
Check the environment setting for the database. oracle@dbzone1:~$ env |grep ORACLE
ORACLE_SID=cdb1
ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=/u01/app/oracle/12.1.0/dbhome_1
Start the listener. oracle@dbzone1:~$ lsnrctl start
LSNRCTL for Solaris: Version 12.1.0.2.0 - Production on 25-AUG-2014 15:17:32
Copyright (c) 1991, 2014, Oracle. All rights reserved.
Starting /u01/app/oracle/12.1.0/dbhome_1/bin/tnslsnr: please wait...
TNSLSNR for Solaris: Version 12.1.0.2.0 - Production
System parameter file is /u01/app/oracle/12.1.0/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/dbzone1/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone1)(PORT=1521)))
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Solaris: Version 12.1.0.2.0 - Production
Start Date 25-AUG-2014 15:17:33
Uptime 0 days 0 hr. 0 min. 1 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/12.1.0/dbhome_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/dbzone1/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone1)(PORT=1521)))
The listener supports no services
The command completed successfully
Start up Oracle Database 12c. oracle@dbzone1:~$ sqlplus / as sysdba
13
SQL*Plus: Release 12.1.0.2.0 Production on Mon Aug 25 14:55:47 2014
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 536870912 bytes
Fixed Size 3005728 bytes
Variable Size 402653920 bytes
Database Buffers 125829120 bytes
Redo Buffers 5382144 bytes
Database mounted.
Database opened.
2. Start Oracle Database 11gr2 installed in dbzone2 in the terminal of dbzone2.
Switch to the user of oracle before starting Oracle Database 11gr2 installed in dbzone2. root@dbzone2:~# su - oracle
Oracle Corporation SunOS 5.11 11.2 June 2014
oracle@dbzone2:~$
Check the environment setting for the database. oracle@dbzone2:~$ env |grep ORACLE
ORACLE_SID=db11g
ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=/u01/app/oracle/11.2/dbhome_1
Start the listener. oracle@dbzone2:~$ lsnrctl start
LSNRCTL for Solaris: Version 11.2.0.1.0 - Production on 25-AUG-2014 15:18:58
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Starting /u01/app/oracle/11.2/dbhome_1/bin/tnslsnr: please wait...
TNSLSNR for Solaris: Version 11.2.0.1.0 - Production
System parameter file is /u01/app/oracle/11.2/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/dbzone2/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone2)(PORT=1521)))
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Solaris: Version 11.2.0.1.0 - Production
Start Date 25-AUG-2014 15:19:00
Uptime 0 days 0 hr. 0 min. 1 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/11.2/dbhome_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/dbzone2/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone2)(PORT=1521)))
The listener supports no services
The command completed successfully
14
Start up Oracle Database 11gr2. oracle@dbzone2:~$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on Mon Aug 25 14:56:09 2014
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 534462464 bytes
Fixed Size 2212736 bytes
Variable Size 343936128 bytes
Database Buffers 184549376 bytes
Redo Buffers 3764224 bytes
Database mounted.
Database opened.
3. Check the database isolation
Solaris Zone virtualization prevents processes that are running in one zone from monitoring or affecting
processes running in other zones.
In order to check the running processes in dbzone1, exit sqlplus in the terminal of dbzone1. SQL> exit
In the terminal of dbzone1, check the running processes of Oracle Database 12c. oracle@dbzone1:~$ ps -ef |grep ora
oracle 5599 5598 0 14:55:33 pts/10 0:00 -bash
oracle 5650 1900 0 14:57:46 ? 0:01 ora_lg00_cdb1
oracle 5648 1900 0 14:57:46 ? 0:03 ora_ckpt_cdb1
oracle 6031 1900 0 15:13:49 ? 0:00 ora_w002_cdb1
oracle 5654 1900 0 14:57:47 ? 0:01 ora_smon_cdb1
oracle 5636 1900 0 14:57:44 ? 0:06 ora_dbrm_cdb1
oracle 5634 1900 0 14:57:44 ? 0:01 ora_diag_cdb1
oracle 5640 1900 0 14:57:45 ? 0:03 ora_dia0_cdb1
oracle 5642 1900 0 14:57:45 ? 0:02 ora_dbw0_cdb1
oracle 5644 1900 0 14:57:46 ? 0:01 ora_lgwr_cdb1
oracle 6070 1900 6 15:20:02 ? 0:07 ora_j000_cdb1
oracle 6073 5599 0 15:20:19 pts/10 0:00 ps -ef
oracle 5628 1900 0 14:57:43 ? 0:01 ora_gen0_cdb1
oracle 5624 1900 0 14:57:42 ? 0:03 ora_vktm_cdb1
oracle 5638 1900 0 14:57:45 ? 0:00 ora_vkrm_cdb1
oracle 5630 1900 0 14:57:43 ? 0:01 ora_mman_cdb1
oracle 5622 1900 0 14:57:41 ? 0:03 ora_psp0_cdb1
oracle 5620 1900 0 14:57:41 ? 0:01 ora_pmon_cdb1
oracle 5730 1900 0 14:58:33 ? 0:08 ora_cjq0_cdb1
oracle 5662 1900 0 14:57:48 ? 0:01 ora_lreg_cdb1
oracle 5656 1900 0 14:57:47 ? 0:01 ora_lg01_cdb1
oracle 5668 1900 0 14:57:48 ? 0:04 ora_mmnl_cdb1
oracle 5666 1900 0 14:57:48 ? 0:15 ora_mmon_cdb1
oracle 5664 1900 0 14:57:48 ? 0:01 ora_pxmn_cdb1
oracle 5660 1900 0 14:57:47 ? 0:01 ora_reco_cdb1
oracle 5670 1900 0 14:57:49 ? 0:00 ora_d000_cdb1
oracle 5672 1900 0 14:57:49 ? 0:00 ora_s000_cdb1
oracle 5684 1900 0 14:57:57 ? 0:00 ora_tmon_cdb1
oracle 5686 1900 0 14:57:58 ? 0:01 ora_tt00_cdb1
oracle 5688 1900 0 14:58:06 ? 0:01 ora_smco_cdb1
oracle 5690 1900 0 14:58:06 ? 0:01 ora_w000_cdb1
oracle 5692 1900 0 14:58:06 ? 0:01 ora_w001_cdb1
15
oracle 5694 1900 0 14:58:13 ? 0:00 ora_aqpc_cdb1
oracle 5698 1900 0 14:58:24 ? 0:00 ora_qm02_cdb1
…
In order to check the running processes in dbzone2, exit sqlplus in the terminal of dbzone2. SQL> exit
In the terminal of dbzone2, check the running processes running of Oracle Database 11gr2. oracle@dbzone2:~$ ps -ef |grep ora
oracle 6045 3696 0 15:16:15 ? 0:00 ora_w000_db11g
oracle 5987 5986 0 15:08:22 pts/11 0:00 -bash
oracle 6078 3696 4 15:21:40 ? 0:01 ora_j000_db11g
oracle 6080 3696 1 15:21:41 ? 0:00 ora_j001_db11g
oracle 6084 5987 0 15:21:45 pts/11 0:00 grep ora
oracle 5916 3696 0 15:01:10 ? 0:00 ora_qmnc_db11g
oracle 5808 3696 0 14:59:07 ? 0:01 ora_gen0_db11g
oracle 5790 3696 0 14:58:56 ? 0:02 ora_pmon_db11g
oracle 5859 3696 0 14:59:57 ? 0:00 ora_s000_db11g
oracle 6066 3696 0 15:18:59 ? 0:01 /u01/app/oracle/11.2/dbhome_1/bin/tnslsnr
LISTENER -inherit
oracle 5800 3696 0 14:59:03 ? 0:02 ora_vktm_db11g
oracle 6083 5987 1 15:21:45 pts/11 0:00 ps -ef
oracle 5827 3696 0 14:59:21 ? 0:01 ora_mman_db11g
oracle 5812 3696 0 14:59:08 ? 0:01 ora_diag_db11g
oracle 5816 3696 0 14:59:10 ? 0:01 ora_dbrm_db11g
oracle 5820 3696 0 14:59:14 ? 0:01 ora_psp0_db11g
oracle 5822 3696 0 14:59:19 ? 0:02 ora_dia0_db11g
oracle 5831 3696 0 14:59:25 ? 0:02 ora_dbw0_db11g
oracle 5936 3696 0 15:01:26 ? 0:02 ora_cjq0_db11g
oracle 5928 3696 0 15:01:20 ? 0:00 ora_q000_db11g
oracle 5932 3696 0 15:01:24 ? 0:00 ora_q001_db11g
oracle 5839 3696 0 14:59:33 ? 0:01 ora_lgwr_db11g
oracle 5843 3696 0 14:59:35 ? 0:02 ora_ckpt_db11g
oracle 5847 3696 0 14:59:44 ? 0:03 ora_smon_db11g
oracle 5849 3696 0 14:59:46 ? 0:00 ora_reco_db11g
oracle 5851 3696 0 14:59:46 ? 0:04 ora_mmon_db11g
oracle 5853 3696 0 14:59:46 ? 0:02 ora_mmnl_db11g
oracle 5855 3696 0 14:59:54 ? 0:00 ora_d000_db11g
root 5862 3696 0 14:59:57 ? 0:04 ora_dism_db11g
oracle 5971 3696 0 15:06:11 ? 0:00 ora_smco_db11g
Based on the output in dbzone1 and dbzone2, you can see that two different versions of databases are separately
running in different zones on the same machine.
Summary In this exercise, you have leveraged the power of Solaris Zones to set up a multitenant environment for Oracle
Database. By using Solaris Zones, you can easily deploy multiple database instances for tenants with low
overhead, and can easily isolate disk files, manage CPU resources, network bandwidth and memory allocation
for different users of the database servers.
16
Exercise 2: Exploring Oracle Database 12c
Multitenant (20 Minutes)
In this exercise, you will explore Oracle Database 12c multitenant architecture. Several pluggable databases
(PDBs) will be deployed in ZFS on isolated disks. Since data-file isolation is an important feature for a
multitenant database, you will also learn how to use ZFS encryption to encrypt a data-file, in order to prevent
attacks that attempt to bypass the database and read sensitive information from it.
What is Oracle Database 12c multitenant?
Designed for the cloud, Oracle Database 12c delivers a multitenant architecture that simplifies consolidation
and delivers the high density of schema based consolidation, but without requiring changes to existing
applications. It’s an option of Oracle Database 12c Enterprise Edition that offers all the benefits of managing
many databases as one, yet retains the isolation and resource control of separate databases. In this new
architecture, a single multitenant container database (CDB) can host many ‘pluggable’ databases (PDB). Each
database consolidated or ‘plugged in’ to a multitenant container looks and feels to applications the same as for
existing Oracle databases. Accessing pluggable databases is the same as for existing Oracle databases, and
administrators can control the prioritization of available resources among consolidated databases.
In this exercise, there will be three pluggable databases (pdb11,pdb12 and pdb13) plugged into a multitenant
container database cdb1, shown as Figure 3.
Figure 3. PDBs in a multitenant container CDB1
What is Solaris ZFS?
Oracle Solaris ZFS is a revolutionary file system that changes the way file systems are administered, with
features and benefits not found in any other file system available today. ZFS uses the concept of storage pools
to manage physical storage, eliminates the concept of volumes and the associated problems of partitions,
provisioning and stranded storage by enabling thousands of file systems to draw from a common storage pool,
using only as much space as it actually needs.
Multitenant Container Database
cdb1
Root
pdb11
12.1
pdb12
12.1
pdb13
12.1 PDBs
Root
CDB
17
ZFS is a combined file system and logical volume manager. The features of ZFS include protection against data
corruption, support for high storage capacities, efficient data compression, integration of the concepts of file
system and volume management, snapshots and copy-on-write clones, continuous integrity checking and
automatic repair and RAID-Z support.
Step 1: Start up Oracle Database 12c in dbzone1 (Please skip to Step 2 if the Oracle Database 12c has been started in Exercise 1)
1. Click the right mouse button on the desktop and choose Open Terminal to bring up a terminal window.
2. Try the following commands in the terminal of dbzone1. labuser@hol9762:~$ su -
Password:
root@hol9762:~# zlogin dbzone1
root@dbzone1:~# su - oracle
oracle@dbzone1:~$ lsnrctl start
oracle@dbzone1:~$ sqlplus / as sysdba
SQL*Plus: Release 12.1.0.1.0 Production on Wed Aug 20 18:55:40 2014
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to an idle instance.
SQL>
3. Startup the database. SQL> startup
ORACLE instance started.
Total System Global Area 534462464 bytes
Fixed Size 2363136 bytes
Variable Size 264241408 bytes
Database Buffers 264241152 bytes
Redo Buffers 3616768 bytes
Database mounted.
Database opened.
SQL>
Step 2: Explore the CDB and the PDBs
1. In the terminal of dbzone1, type the command below in sqlplus. oracle@dbzone1:~$ sqlplus / as sysdba
…
SQL> SHOW CON_NAME;
CON_NAME
------------------------------
CDB$ROOT
SQL>
The result shows that you are now in the CDB root container.
2. Type the following command to show how many PDBs are available. SQL> SHOW PDBS;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
18
3 PDB11 MOUNTED
SQL>
Note: The PDB$SEED is a template PDB, which can be used to create other PDBs. PDB11 is a pre-created
PDB.
3. If you want to use the PDB11, you need to open it. Run the following command to open the PDB11 and
show its status. SQL> ALTER PLUGGABLE DATABASE pdb11 OPEN;
Pluggable database altered.
SQL> SHOW PDBS;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB11 READ WRITE NO
Now PDB11 is ready for read and write operation.
Exit sqlplus SQL> exit;
4. In the terminal window, run the following command to log in to the PDB11.
oracle@dbzone1:~$ sqlplus sys/solaris11@localhost:1521/pdb11 as sysdba
5. Type the following command to check current container and status. SQL> SHOW CON_NAME;
CON_NAME
------------------------------
PDB11
SQL> SHOW PDBS;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
3 PDB11 READ WRITE NO
SQL> SELECT name FROM v$datafile;
NAME
--------------------------------------------------------------------------------
/u01/app/oracle/oradata/cdb1/undotbs01.dbf
/u01/app/oracle/oradata/cdb1/pdb11/system01.dbf
/u01/app/oracle/oradata/cdb1/pdb11/sysaux01.dbf
/u01/app/oracle/oradata/cdb1/pdb11/pdb11_users01.dbf
Exit sqlplus. SQL> exit;
Step 3: Create a new PDB with a dedicated disk 1. In the terminal of dbzone1, type the following commands to find extra disks in this zone.
oracle@dbzone1:~$ zpool status
pool: dbpool1
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
dbpool1 ONLINE 0 0 0
c2t2d0 ONLINE 0 0 0
19
errors: No known data errors
pool: dbpool2
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
dbpool2 ONLINE 0 0 0
c2t3d0 ONLINE 0 0 0
errors: No known data errors
pool: rpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
c2t0d0 ONLINE 0 0 0
errors: No known data errors
As you can see that there are 2 extra disks, c2t2d0 (mounted as dbpool1) and c2t3d0 (mounted as dbpool2).
2. Connect to the database as SYSDBA oracle@dbzone1:~$ sqlplus / as sysdba
3. To create and open a new PDB, named PDB12, in a dedicated disk named dbpool1, type the following
commands. SQL> CREATE PLUGGABLE DATABASE pdb12 ADMIN USER PDB_ADMIN IDENTIFIED BY solaris11
FILE_NAME_CONVERT =('/u01/app/oracle/oradata/cdb1/pdbseed','/dbpool1');
Pluggable database created.
SQL> ALTER PLUGGABLE DATABASE pdb12 OPEN;
Pluggable database altered.
4. Create the tablespaces, users, and grant privileges for PDB12. Execute the following commands one by one. SQL> ALTER SESSION SET CONTAINER=pdb12;
Session altered.
SQL> CREATE TABLESPACE users DATAFILE '/dbpool1/users.dbf' SIZE 20M AUTOEXTEND ON NEXT 1M SEGMENT
SPACE MANAGEMENT AUTO;
5. Create a table and insert some records. SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER,
credit_card CHAR(16)) TABLESPACE users;
SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
SQL> SELECT * FROM employee;
SQL> COMMIT;
SQL> ALTER PLUGGABLE DATABASE pdb12 CLOSE;
Step 4: Create a new PDB in an encrypted file system In Oracle Database 12c, PDBs can provide data isolation by using separated disks and storage to store their own
data. However, there are risks when the disks are stolen or maliciously accessed. If some unauthorized people
get the disks, they will be able to get the sensitive data directly from the OS level, such as files and disk devices
20
instead of database level. Some disk scan tools (such as dd) can be used to scan the whole disk to find out the
sensitive information.
Therefore, the data-at-rest protection must be presented in order to prevent sensitive data disclosure.
1. In the terminal, exit sqlplus if needed. Then type the following command to scan the tablespace file. SQL> exit;
…
oracle@dbzone1:~$ dd if=/dbpool1/users.dbf | strings
You will be able to get the results like the following. …
chris
5201237476346909,
wang
4380558852114471,
gary
wang
6201345768476366
…
This means unauthorized users can directly get the sensitive data from the tablespace files.
Or you can switch to the terminal of the global zone (with root@hol9762). Type the following command to
scan the disk for sensitive information. (Note: It may take several minutes to get the results.) root@hol9762:~# dd if=/dev/dsk/c2t2d0 | strings | grep 52012374
5201237476346909,
4194304+0 records in
4194304+0 records out
2. ZFS encryption can be used to solve this problem. Switch to the terminal of dbzone1, create an encrypted file
system by using command below. oracle@dbzone1:/$ sudo zfs create -o encryption=on dbpool2/protected
Enter passphrase for 'dbpool2/protected':
Enter again:
oracle@dbzone1:/$ sudo chown oracle:dba /dbpool2/protected
3. Connect to the database as SYSDBA. oracle@dbzone1:~$ sqlplus / as sysdba
4. To create and open a new PDB, named PDB13, in this encrypted filesystem, type the following commands: SQL> CREATE PLUGGABLE DATABASE pdb13 ADMIN USER PDB_ADMIN IDENTIFIED BY solaris11
FILE_NAME_CONVERT = ('/u01/app/oracle/oradata/cdb1/pdbseed','/dbpool2/protected');
Pluggable database created.
SQL> ALTER PLUGGABLE DATABASE pdb13 OPEN;
Pluggable database altered.
Repeat the actions in Step 3 to create tablespace, users and tables.
5. Create the tablespaces, users, and grant privileges for pdb13. Execute following commands one by one. SQL> ALTER SESSION SET CONTAINER=pdb13;
Session altered.
SQL> CREATE TABLESPACE users DATAFILE '/dbpool2/protected/users.dbf' SIZE 20M AUTOEXTEND ON NEXT
1M SEGMENT SPACE MANAGEMENT AUTO;
6. Create a table and insert some records: SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER,
credit_card CHAR(16)) TABLESPACE users;
21
SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
SQL> SELECT * FROM employee;
SQL> COMMIT;
SQL> ALTER PLUGGABLE DATABASE pdb13 CLOSE;
7. Switch to the terminal of the global zone (with prompt root@hol9762). Type the following command to scan
the disk for sensitive information. (Note: It may take several minutes to finish, you can continue to do the
following lab while waiting for the result.) root@hol9762:~# dd if=/dev/dsk/c2t3d0 | strings | grep 52012374
You won’t succeed because the disk (c2t3d0)’s been encrypted.
Summary
In this exercise, you have created some pluggable databases (PDB) in Oracle Database 12c. Each of the PDBs is
attached to a dedicated disk in order to isolate tablespace files. You have also learned about how to use ZFS
encryption to protect the sensitive information in a PDB.
22
Exercise 3: Using Oracle Transparent Data
Encryption with Solaris Cryptographic Framework
(20 Minutes)
In this exercise, you will explore Oracle Advanced Security Transparent Data Encryption (TDE) and learn how
to transparently encrypt sensitive data stored in the tablespace shown in Figure 4. In the mean time, you will see
how the Oracle Database integrates with Solaris Cryptographic Framework to manage the hardware based
keystore (HSM, i.e. Hardware Security Module) on Solaris11.
Figure 4. Oracle Advanced Security Transparent Data Encryption
What is Oracle Advanced Security Transparent Data Encryption?
Oracle Advanced Security Transparent Data Encryption (TDE) stops would-be attackers from bypassing the
database and reading sensitive information from storage by enforcing data-at-rest encryption in the database
layer. Applications and users authenticated to the database continue to have access to application data
transparently (no application code or configuration changes are required), while attacks from OS users
attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information
from acquired disks or backups are denied access to the clear text data.
Out of the box, TDE provides industry standard strong encryption for the database, full key lifecycle
management, and integrated support for Oracle Database tools and technologies. TDE enables encryption of
database columns or entire application tablespaces.
Transparent Data Encryption fully supports Oracle Multitenant.
23
What is Solaris Cryptographic Framework?
The Solaris Cryptographic Framework provides cryptographic services to users and applications through
commands, a user-level programming interface, a kernel programming interface, and user-level and kernel-level
frameworks. The Solaris Cryptographic Framework provides these cryptographic services to applications and
kernel modules in a manner seamless to the end user, and brings direct cryptographic services to the end user.
The Oracle Solaris Cryptographic Framework provides a common store of algorithms and PKCS #11 libraries
to handle cryptographic requirements.
What is a token?
A token is a PKCS#11 concept, which is representing the logical view of a cryptographic device. Sometimes a
“token” is a “keystore”. For example, a “Oracle Crypto Accelerator 4000 board ” card in a PCI slot is a token
(hardware token). Solaris PKCS#11 Softtoken is another example of token.
What is a slot?
A slot is a PKCS#11 concept, which is representing a logical reader that potentially contains a token. For
example, Hardware slot is a slot which is bound to and dedicated to a hardware device; Softtoken slot is a software
cryptographic provider with an on-disk keystore.
What is a Metaslot? The Metaslot is a new additional slot to the Solaris Cryptographic Framework. It provides the virtual union of capabilities
of all other slots in the framework. Instead of having to deal with many slots, an application can simply choose the
Metaslot, which have access to features of all slots currently plugged into the Solaris Cryptographic Framework. It also
does the tedious work of managing sessions and objects on different slots so an application can use the best slot for a
particular mechanism without having to move objects and sessions back and forth. The Metaslot behavior conforms to the
PKCS#11 Standard. Applications should treat it as if it were any PKCS#11 slot with normal PKCS#11 semantics.
Step 1: Master key management using Solaris PKCS#11 Softtoken
1. Click the right mouse button on the desktop and choose Open Terminal to bring up a terminal window.
2. Log into the dbzone1 if needed. labuser@hol9762:~$ su –
Password:
root@hol9762:~# zlogin dbzone1
3. Configure metaslot to use Sun Software PCKS#11 Softtoken by default root@dbzone1:~# cryptoadm enable metaslot token="Sun Software PKCS#11 Softtoken"
4. Copy Solaris libpkcs11.so to the PKCS#11 library directory which is needed by Oracle Database 12c. root@dbzone1:~# mkdir -p /opt/oracle/extapi/64/hsm/sun/1.0.0/lib
root@dbzone1:~# cp /usr/lib/64/libpkcs11.so /opt/oracle/extapi/64/hsm/sun/1.0.0/lib
root@dbzone1:~# chown -R oracle:dba /opt/oracle
Step 2: Open the HSM based keystore and create an encryption key
1. Change to the oracle user
24
root@dbzone1:/# su - oracle
Oracle Corporation SunOS 5.11 11.2 June 2014
oracle@dbzone1:~$
2. Set the PIN for the Sun Software PCKS#11 Softtoken keystore. (The initial passphrase of the keystore is :
“changeme”) oracle@dbzone1:~$ pktool setpin keystore=pkcs11
Enter token passphrase:changeme
Create new passphrase: solaris11
Re-enter new passphrase:solaris11
Passphrase changed.
3. In order to configure TDE to use Solaris PKCS#11 Softtoken, you need to make an HSM to be used as an
Oracle Wallet.
Use vi to edit $ORACLE_HOME/network/admin/sqlnet.ora. oracle@dbzone1:~$ vi $ORACLE_HOME/network/admin/sqlnet.ora
Add the following line to this file. ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=HSM))
4. Startup the database if needed. You must open the hardware keystore so that it is accessible to the database
before you can perform any encryption or decryption.
Open the hardware keystore and create a TDE encryption master key for the root container. oracle@dbzone1:~$ sqlplus / as sysdba
SQL> startup
…
SQL> SHOW CON_NAME;
CON_NAME
------------------------------
CDB$ROOT
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "solaris11";
keystore altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "solaris11";
keystore altered.
5. Switch the container of the current session to pdb11. Open pdb11 if needed. Open the hardware keystore and
create a TDE encryption master key for pdb11. SQL> ALTER SESSION SET CONTAINER=pdb11;
Session altered.
SQL> ALTER PLUGGABLE DATABASE pdb11 OPEN;
Pluggable database altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "solaris11";
keystore altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "solaris11";
keystore altered.
6. Check the hardware keystore status. SQL> SELECT WRL_TYPE, status FROM v$encryption_wallet;
WRL_TYPE STATUS
-------------------- ------------------------------
25
HSM OPEN
Step 3: TDE tablespace encryption 1. Create an encrypted tablespace in pdb11.
SQL> CREATE TABLESPACE HsmSecuredTableSpace DATAFILE
'/u01/app/oracle/oradata/cdb1/pdb11/usershol.dbf' SIZE 20M ENCRYPTION DEFAULT STORAGE(ENCRYPT);
2. Create a table in the encrypted tablespace, which automatically encrypts all data objects in it. SQL> CREATE TABLE employee(first_name VARCHAR2(32),last_name VARCHAR2(32),empID
NUMBER,credit_card CHAR(16)) TABLESPACE HsmSecuredTableSpace;
3. Insert some data into the table. SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
SQL> SELECT * FROM employee;
SQL> COMMIT;
SQL> ALTER PLUGGABLE DATABASE pdb11 CLOSE;
SQL> exit;
4. Use pktool to check the encryption keys created in the database. oracle@dbzone1:~$ pktool list objtype=both;
Enter PIN for Sun Software PKCS#11 softtoken:
No. Key Type Key Len. Key Label
----------------------------------------------------
Symmetric keys:
1) AES ORACLE.TDE.HSM.MK.068FF2B9DF184B4FBCBF68185CB2A45687 (sensitive)
2) AES ORACLE.TDE.HSM.MK.06517EBB85AF554F9ABFB20C8F358F5FD0 (sensitive)
5. Use dd to scan the database file. You won’t be able to get any sensitive information. oracle@dbzone1:~$dd if=/u01/app/oracle/oradata/cdb1/pdb11/usershol.dbf | strings
Note: You can also create more TDE master encryption keys for the future use of other PDBs. Please refer to
Oracle Database Advanced Security Guide for the detailed information.
Why choose Oracle HSM to integrate with Solaris PKCS#11?
Oracle Database 12c supports the use of PKCS#11 based HSM keystore as Oracle Wallet. Using Solaris
PKCS#11 softtoken based Oracle Wallet secures the master key from duplication and copying during database
and filesystem backups. If being deployed on physical machines (such as Oracle SPARC T5 servers) with
hardware cryptographic accelerator, Solaris PKCS#11 can seamlessly integrate the hardware accelerator to
make database encryption much faster.
Summary
In this exercise, you have integrated Solaris Cryptographic Framework with Oracle Wallet to manage the
hardware based keystore (HSM) on Oracle Database 12c. Also, you’ve tried the features of Oracle database
Transparent Data Encryption, learned about how to encrypt sensitive data with TDE Transparent Tablespace.
26
Summary
You have successfully completed the " Oracle Database 12c Data Protection and Multitenancy on Oracle
Solaris 11" hands-on lab! You have explored different isolation and encryption approaches for securing
multitenancy when using Oracle Database 12c on Oracle Solaris 11: Oracle Solaris Zones, Oracle Database 12c
pluggable databases(PDB), Oracle Advanced Security Transparent Data Encryption (TDE) and Oracle Solaris
ZFS encryption. You have also learned about how TDE works with Solaris Cryptographic Framework.
See Also
High Performance Security For Oracle Database and Fusion Middleware Applications using SPARC
T4
Managing ZFS File Systems in Oracle® Solaris 11.2
Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource
Management
Oracle Solaris Administration: Network Interfaces and Network Virtualization
Oracle Database Advanced Security Guide
About the Authors
Ramesh Nagappan is a Senior Principal Engineer at Oracle Corporation, (Previously at Sun Microsystems). He
works on security integration for SuperCluster platform and focused on Cloud security, Network and
Application security and Applied Cryptography for Applications, XML Web Services and Identity Management
technologies.
Yu Wang presently works for Oracle’s ISV Engineering group as a Principal Software Engineer. His duties
include supporting local ISVs and evangelizing about Oracle Solaris and Java technologies.
Xiaosong (Chris) Zhu is a Senior Software Engineer working for Oracle’s ISV Engineering group. She is
concentrated on Solaris and C/C++. Her duties include doing Solaris evangelizing and supporting local ISVs to
run C/C++ applications best on Oracle Solaris and SPARC servers.
Gang (Gary) Wang, manager of Oracle’s ISV Engineering group, leads ISV Engineering team in Beijing
helping ISVs in China, Japan, and Korea to make their applications run best on Oracle Solaris, Oracle servers,
and Oracle storage.