D90836GC10 Ag1 PDF

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2018, Oracle and/or its affiliatesฺ
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht Oracle ns e
r ap a s li c e Database Security:
m ur P Preventive Controls
Fla
Activity Guide – Volume I

D90836GC10
Edition 1.0 | February 2017 | D99633
Learn more from Oracle University at education.oracle.com

Author Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Hans Forbrich Disclaimer
This document contains proprietary information and is protected by copyright and

Technical Contributor other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
and Reviewer in any way. Except where your use constitutes "fair use" under copyright law, you
may not use, share, download, upload, copy, print, display, perform, reproduce,
Jean-Francois Verrier
publish, license, post, transmit, or distribute this document in whole or in part without
the express authorization of Oracle.
Editors
The information contained in this document is subject to change without notice. If you
Aishwarya Menon find any problems in the document, please report them in writing to: Oracle University,
Smita Kommini 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Vijayalakshmi Narasimhan
Restricted Rights Notice
Graphic Designer
Rajiv Chandrabhanu
If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
a ble
applicable:
f e r
an s
Publishers U.S. GOVERNMENT RIGHTS
n - t r
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
o
an
Pavithran Adka disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.
Giri Venugopal
ha s
Trademark Notice )
m ideฺ
c o
ailฺ t Gu
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.
m
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P ra
u r
m
Fla
Table of Contents
Course Practice Environment Security Credentials

Practices for Lesson 1: Environment Familiarization .............................................................................. 1-1
Practices for Lesson 1: Overview............................................................................................................. 1-2

Practice 1-1: Environment Familiarization ................................................................................................ 1-3
Practices for Lesson 2: Implementing Basic and Strong Authentication ................................................ 2-1
Practice 2-1: Creating the Security Officer Account .................................................................................. 2-3
Practice 2-2: Managing Secure Passwords .............................................................................................. 2-13
Practice 2-3: Using Basic OS Authentication Method................................................................................ 2-28
Practice 2-4: Observing Passwords in Database Links ............................................................................. 2-31
a ble
Practice 2-5: Restricting Database Links With Views ................................................................................ 2-35
f e r
Practice 2-6: Configuring the External Secure Password Store ................................................................. 2-38
an s
Practice 2-7: Connecting to a CDB or a PDB............................................................................................ 2-46
n - t r
no
Practice 2-8: Preparation for Next Lesson ................................................................................................ 2-50
s a
Practices for Lesson 3: Using Enterprise User Security.......................................................................... 3-1
h a
) eฺ
o m
Practice 3-1: Registering a Database with Enterprise Manager ................................................................. 3-3
ilฺc Guid
Practice 3-2: Starting and Configuring Oracle Unified Directory................................................................ 3-10
a
g m ent
Practice 3-3: Configuring and Registering the Database ........................................................................... 3-20
t i c a@ Stud
Practice 3-4: Configuring Global Users and Global Roles ......................................................................... 3-28
a s h this
Practice 3-5: Configuring Enterprise User Security by Using Enterprise Manager ...................................... 3-30
ap and
Practice 3-6: Cleaning Up........................................................................................................................ 3-43
Practices for Lesson 4: Usingp r u s e
Practices for Lesson 4:a
( f Privileges
to
Roles ................................................................................ 4-1
t i c s e
Overview.............................................................................................................
h ProxycAuthentication
4-2
Practicep a sExploring
Practice 4-1: Using
l i en ................................................................................................. 4-3
P ra 4-3: Granting SYSBACKUP Administrative Privilege ................................................................... 4-20

4-2: DBA Privileges .................................................................................................... 4-13
u r Practice
m Practice 4-4: Implementing a Secure Application Role.............................................................................. 4-25

Fla Practice 4-5: Enabling Roles at Run Time by Using CBAC ....................................................................... 4-35
Practice 4-6: Executing Invoker's Right Procedure by Using the INHERIT PRIVILEGES
Privilege (Optional) ................................................................................................................................. 4-42
Practice 4-7: BEQUEATH Current_user Views by Using INHERIT PRIVILEGES (Optional) ....................... 4-47
Practice 4-8: Managing Local and Common Privileges and Roles in CDB and PDBs ................................. 4-51
Practices for Lesson 5: Encryption Concepts.......................................................................................... 5-1
Practices for Lesson 6: Using Application-Based Encryption................................................................. 6-1
Practice 6-1: Using DBMS_CRYPTO for Encryption ................................................................................. 6-2
Practice 6-2: Checksumming by Using the HASH Function....................................................................... 6-8
Practice 6-3: Preparing for Tablespace Encryption ................................................................................... 6-11
Practices for Lesson 7: Applying Transparent Data Encryption ............................................................. 7-1
Practice 7-1: Configuring the Password-Based Keystore for TDE ............................................................. 7-2
Practice 7-2: Implementing Table Column Encryption............................................................................... 7-12
Practice 7-3: Implementing Tablespace Encryption .................................................................................. 7-30
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security: Preventive Controls Table of Contents

iii
Practices for Lesson 8: Applying File Encryption.................................................................................... 8-1
Practice 8-1: Using RMAN Backup File Encryption ................................................................................... 8-2
Practice 8-2: Exporting Encrypted Data.................................................................................................... 8-16
Practice 8-3: Importing Encrypted Data.................................................................................................... 8-27
Practices for Lesson 9 Installing Oracle Key Vault .................................................................................. 9-1
Practice 9-1: Introduction......................................................................................................................... 9-3

Practice 9-2: Installation and Post-Installation Videos ............................................................................... 9-5
Practice 9-3: (Optional) Installing Oracle Key Vault .................................................................................. 9-6
Practice 9-4: Oracle Key Vault Post-install Tasks ..................................................................................... 9-13
Practice 9-5: (Optional) Shutting down and Restarting the Key Vault ........................................................ 9-19
Practices for Lesson 10: Working with Endpoints and Wallets ............................................................... 10-1
Practices for Lesson 10: Overview ........................................................................................................... 10-2
Practice 10-1: Enrolling Endpoints and Setting Up Encryption Videos ....................................................... 10-3
a ble
Practice 10-2: Enrolling an Endpoint ........................................................................................................ 10-4
f e r
Practice 10-3: Setting Up Encrypted Data in Oracle Databases ................................................................ 10-12
an s
Practice 10-4: Uploading and Downloading Wallets with Oracle Key Vault ................................................ 10-20
n - t r
a
Practices for Lesson 11: Using Direct TDE with Oracle Database........................................................... 11-1no
a s
h
) eฺ
Practice 11-1: TDE Direct Video .............................................................................................................. 11-3
m
o uid
ilฺc TasksG........................................
Practice 11-2: Using the Online Master Key with Oracle Key Vault............................................................ 11-4
Practices for Lesson 12: Performing Oracle Key Vault Administrative
m ent a 12-1
@ g d
a t u
tTrailc ...................................................................................
Practice 12-1: Key Vault Administration Videosi........................................................................................
S 12-3
Practice 12-2: Using and Managing the Audit
a s h t h i s 12-4
Practice 12-3: Backing Up the Key
r a usp
Vault e
.................................................................................................. 12-9
f p
Practice 12-4: Cleaning Up(......................................................................................................................
to 12-14
i c a e
a s ht 13: cUsing
Practices for Lesson
e s
nApplication Data Model .......................................................................... 13-1
Practices for
a i
p13-1: Adding lData
Lesson 13: Using an Application Data Model ....................................................................... 13-2
r
P 13-2: Registering a Database with Enterprise Manager ............................................................... 13-12
Practice to the orcl Instance ........................................................................................ 13-3
u r Practice
m
Fla Practice 13-3: Capturing the Application Data Model ................................................................................ 13-18
Practices for Lesson 14: Data Masking Formats...................................................................................... 14-1
Practice 14-1: Reviewing Data Masking Formats...................................................................................... 14-3
Practice 14-2: Check Your Knowledge ..................................................................................................... 14-11
Practices for Lesson 15: Implementing Data Masking ............................................................................. 15-1
Practice 15-1: Create a New Data Masking Definition............................................................................... 15-3
Practices for Lesson 16: Data Subsetting ................................................................................................ 16-1
Practice 16-1: Using a Data Subsetting Definition..................................................................................... 16-3
Practices for Lesson 17: Data Masking Administratoin ........................................................................... 17-1
Practices for Lesson 17: Data Masking Administration.............................................................................. 17-2
Practice 17-1: Performing Data Masking and Subsetting Exports .............................................................. 17-3
Practice 17-2: Clean up the Environment ................................................................................................. 17-7

iv
Practices for Lesson 18: Oracle Data Redaction...................................................................................... 18-1
Practice 18-1: Redacting Protected Column Values with FULL Redaction ................................................. 18-3
Practice 18-2: Redacting Protected Column Values with PARTIAL Redaction ........................................... 18-12
Practice 18-3: Changing the Default Value for FULL Redaction ................................................................ 18-15
Practice 18-4: Cleaning Up Redaction Policies ......................................................................................... 18-23

Practices for Lesson 19: Transparent Sensitive Data Protection ............................................................ 19-1
Practice 19-1: Implementing a TSDP Policy ............................................................................................. 19-3
Practice 19-2: Disabling TSDP Policies .................................................................................................... 19-20
Practices for Lesson 20: Introduction to Database Vault ........................................................................ 20-1
Practice 20-1: Your Course Setup ........................................................................................................... 20-3
a ble
Practice 20-2: Enabling Unified Auditing .................................................................................................. 20-7
f e r
an
Practice 20-3: Adding a Cloud Control Target .......................................................................................... 20-11 s
n - t r
Practice 20-4: Testing Your Knowledge ................................................................................................... 20-16
a no
Practices for Lesson 21: Database Vault Administrators ........................................................................ 21-1
a s
Practices for Lesson 21: Database Vault Administrators ........................................................................... 21-2
h
) eฺ
Practice 21-1: Configuring Database Vault for the Container DB ............................................................... 21-4
m
o
ilฺc Guid
Practice 21-2: Configuring Database Vault for the PDB ............................................................................ 21-7
m ent a
Practice 21-3: Setting Up Practice Accounts ............................................................................................ 21-12
g
Practice 21-4: Configuring Database Vault User in Cloud Control 13c ....................................................... 21-16
t i c a@ Stud
Practices for Lesson 22: Privilege Analysis............................................................................................. 22-1
s h th i s
a by AnyeUser..............................................................................
r a
Practice 22-1: Analyzing Privileges p
Used
s 22-3
f p u
( PrivilegetoUse in Context ............................................................................ 22-10
Practice 22-2: Analyzing ANY
i c a
t ense Privileges ....................................................................................... 22-13
Practice 22-3: Analyzing Role-Based
Practices fora s h
r a pforLesson licUsing Realms ................................................................................................... 23-1
23:
u P 23-1: Using Realms to Protect a Schema ................................................................................... 23-3

Practices
r Practice
Lesson 23: Overview ........................................................................................................... 23-2
m
Fla Practice 23-2: Using Realms to Protect Roles .......................................................................................... 23-12
Practice 23-3: Using Regular and Mandatory Realms............................................................................... 23-20
Practices for Lesson 24: Managing Rule Sets.......................................................................................... 24-1
Practice 24-1: Managing Rule Sets .......................................................................................................... 24-3
Practices for Lesson 25: Command Rules ............................................................................................... 25-1
Practice 25-1: Using Command Rules ..................................................................................................... 25-3
Practice 25-2: Protecting Application Data ............................................................................................... 25-7
Practices for Lesson 26: Factors and Identities....................................................................................... 26-1
Practice 26-1: Restricting Access by Using the Client_IP and Domain Factors .......................................... 26-3
Practice 26-2: Creating a Factor to Determine Job Role ........................................................................... 26-14
Practice 26-3: Using Assignment Rule Sets with Factors .......................................................................... 26-18
Practice 26-4: Using Rule Sets to Restrict Connection Sources ................................................................ 26-22
Practice 26-5: Using a Factor to Identify a User........................................................................................ 26-26

v
Practice 26-6: Creating Time-Based Factors ............................................................................................ 26-30
Practices for Lesson 27: User Rulesets ................................................................................................... 27-1
Practice 27-1: Managing Secure Application Roles .................................................................................. 27-3
Practices for Lesson 28: Reports ............................................................................................................. 28-1
Practices for Lesson 28: Reports ............................................................................................................. 28-2
Practice 28-1: Familiarization with Dictionary Views ................................................................................. 28-3

Practice 28-2: Viewing Configuration Issues Reports................................................................................ 28-5
Practice 28-3: Viewing Enforcement Audit Reports................................................................................... 28-16
Practice 28-4: Viewing Database Vault Configuration Changes ................................................................ 28-21
Practice 28-5: Viewing General Security Reports ..................................................................................... 28-25
Practices for Lesson 29: Using Database Vault ....................................................................................... 29-1
Practices for Lesson 29: Using Database Vault ........................................................................................ 29-2
Practice 29-1: Protecting Data from SELECT ANY TABLE Access ........................................................... 29-5
a ble
Practice 29-2: Restricting OE DBA Activities to Nonbusiness Hours.......................................................... 29-8
f e r
an s
n - r
Practice 29-3: Locking Down the DBA Roles ............................................................................................ 29-9
t
Practice 29-4: Preventing Data Loss ........................................................................................................ 29-15
o
an
Practice 29-5: Allowing Temporary ALTER SYSTEM Command Access ................................................... 29-17
s
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla

vi
Course Practice Environment: Security Credentials
For OS usernames and passwords, see the following:

• If you are attending a classroom-based or live virtual class, ask your instructor or LVC
producer for OS credential information.

• If you are using a self-study format, refer to the communication that you received from
Oracle University for this course.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Page 1 of 4
For product-specific credentials used in this course, see the following username/password table:
Username Password
Linux
root oracle
oracle oracle
auditvault auditpass
fred oracle
*** wallet welcome1
a ble
f e r
ans
Oracle
n - t r
o
ann A_xxx12345667890_Yyy
s an
avdfuser avdfpass
) ha
c o m ideฺ
ailฺ t Gu
bi oracle_4U
c##sec oracle_4sec m
g den
@
dba_junior oracle_4U
h t ica is Stu
dbsnmp
p a
oracle_4U s th
r a
poracle_4U us e
dev ( f t o
hr h t ica noracle_4U
se
pa s e
lic oracle_4U
ix r a
u rP
jim oracle_4U
m
Fla oe oracle_4U
pfay oracle_4U
pm oracle_4U
scott oracle_4U
sec oracle_4sec
sys oracle_4U
system oracle_4U
tom oracle_4U

Page 2 of 4
Oracle Audit Vault
Installation Passphrase oracle_4U
avadmin oracle_4U
avadmin1_sa oracle_4U
avadmin2_a oracle_4U
avauditor oracle_4U
avaudit1_sa oracle_4U
avaudit2_a oracle_4U
Repository Encryption oracle_4U
a ble
f e r
root oracle_4U
ans
support oracle_4U
n - t r
o
s an
Oracle Database Firewall
) ha
c o m ideฺ
Installation Passphrase oracle_4U
a ilฺ Gu
fwadmin oracle_4U g m e n t
root oracle_4U
t i c a@ Stud
a s h this
support
f p r ap use
oracle_4U
sysman
a ( oracle_4U
to
i c
ht cens e
a s
p Oracle li Key Vault
r a
u r P Passphrase My passcode is No 1.
Installation
m
Fla Recovery Passphrase oracle_4U
OKV_SYS_SEAN oracle_4U
OKV_KEYS_KATE oracle_4U
OKV_AUD_AUDREY oracle_4U
Repository Encryption oracle_4U
root oracle_4U
support oracle_4U
Oracle Enterprise Manager

sysman oracle_4U

Page 3 of 4
Oracle Unified Directory
cn=Directory Manager
Student1
(initial)
cn=Directory Manager
oracle_4U
(after update)
user.0 oracle_4U
Oracle Database Vault (dvcdb)

sysman oracle_4U
sys oracle_4U
system oracle_4U
a ble
dbsnmp oracle_4U f e r
ans
c##dbv_own_root oracle_4U
n - t r
o
c##dbv_mgr_root oracle_4U
s an
c##dbv_own_pdb oracle_4U
) ha
c o m ideฺ
ailฺ t Gu
c##dbv_mgr_pdb oracle_4U
leo_dvowner oracle_4U m
g den
@
bea_dvacctmgr oracle_4U
h t ica is Stu
dba_psmith a
oracle_4U
p s th
r a
poracle_4U us e
hr ( f t o
oe h t ica noracle_4U
se
a s e
lic oracle_4U
bernst ap
r
u rP
smavris oracle_4U
m
Fla kpartner oracle_4U
wsmith oracle_4U
ahunold oracle_4U

Page 4 of 4
a ble
f e r
ans
n - t r
a no
h a s
Practices for m ) Lesson
e ฺ 1:
o id
ilฺc GuFamiliarization
Environment
a
g m ent
c a @ tu1 d
Chapter
i
ht this S
a s
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
Practices for Lesson 1: Environment Familiarization

Chapter 1 - Page 1
Practices for Lesson 1: Overview
Practices Overview
Understanding the Classroom Configuration
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a
In these practices, you will familiarize s hyourselfthwith
is the computing environment used in this
course and perform setupp
f r ap use
tasks:
• Starting and a (
verifyingethetovirtual machines are started.
i c
htdowncethenvirtual
s machines.
p a s
• Shutting
li
a
Note:rThroughout these practices, Courier New bold is used to indicate command(s) that
u r Penter. For example, the following indicates that you are to enter the date command:
you
m
Fla $ date
Mon Jun 16 00:20:46 UTC 2014
$
Scripts specific to this lesson have been provided in directory /home/oracle/labs/.

Chapter 1 - Page 2
Practice 1-1: Environment Familiarization
Overview
In this practice, you familiarize yourself with the computing environment used in this course.
You make note of some important information that you will need when you perform the practices
for this course. Fill in the Course Overview table as you gather the information.
Assumptions
You have a course setup on Linux based Virtual Machines:
• cl1: a client machine
• db1: a database machine
• em13: an Oracle Enterprise Manager machine
• okv: an Oracle Key Vault machine
a ble
• oav: an Oracle Audit Vault machine f e r
ans
• odf: an Oracle Database Firewall machine
n - t r
The VMs contain the following:
a no
• Client software and the GlassFish application server are installedson cl1.
) hadatabase with two
• There are three databases installed on db1: dbsec (a container
o d e ฺ
m idatabase),
pluggable databases pdb1 and pdb2), orcl (a non-container c
ilฺDNS and ua network timeandprotocol
fix1 (a
non-container database). Also, db1 operates a
m ent
as a G
g
server.
• Enterprise Manager Cloud Control t i c a@ Stusing
is installed
ud a non-container database em13rep.
a sh Firewall
If Oracle Audit Vault and OraclepDatabase t h is labs are to be performed, oav and odf VMs
are installed. f p r a use
• The Oracleic a ( Vault appliance
to is installed on oav. You will configure this appliance
Audit
hoftthe course e
nspractices.
p a s
as part
li c e
• raThe Oracle Database Firewall appliance is installed on odf. You will configure this
u r P appliance as part of the course practices.
m
Fla If Oracle Key Vault labs are to be performed, the okv VM is available.
• The Oracle Key Vault appliance is installed on okv. You will configure this appliance as
part of the course practices.
Tasks
1. Log in to your assigned machine and open a terminal window: Right-click and select Open
in Terminal.
2. Check your system date and time. Note it, especially if it is different from your own time
zone.
$ date
Mon Jun 16 00:20:46 UTC 2014
$
3. Start the db1 virtual machine.
$ sudo xm list db1
Error: Domain 'db1' does not exist.

Chapter 1 - Page 3
$ sudo xm create /OVS/running_pool/db1/vm.cfg
Using config file "/OVS/running_pool/db1/vm.cfg".
Started domain db1 (id=10)
$
4. Start the cl1 virtual machine.
$ sudo xm create /OVS/running_pool/cl1/vm.cfg

Using config file "/OVS/running_pool/cl1/vm.cfg".
Started domain cl1 (id=3)
$
5. List the virtual machines running.
$ sudo xm list
Name ID Mem VCPUs State Time(s)
a ble
f e r
db1 10 3090 1 -b---- 1614.7
ans
cl1 3 1027 1 -b---- 8157.7
n - t r
Domain-0 0 2064 8
a no r----- 201672.8
$
h a s
6. Log on to the client machine as root and shut it down from the)within the VM.
o d e ฺ message will only
m‘authenticity’
a. Use ssh to connect to the client machine. Note that c
ilฺ Ghosts
the i
u list. Enter yes to add it
be displayed as long as the machine is not in a
the known t
m
g willdbe
to the known hosts. Thereafter the message e nsuppressed.
@
$ ssh root@cl1
h t ica is Stu
The authenticity p ofa shost 'cl1
th (192.0.2.103)' can't be
established. pra us e
( f t o
h t ica nse
RSA key fingerprint is
p syou sure
l i c e you want to continue connecting (yes/no)? yes
db:1d:04:46:f0:c9:36:44:bf:39:0d:58:f1:9a:00:a4.
a
P ra Warning: Permanently added 'cl1,192.0.2.103' (RSA) to the list
Are
r
mu
Fla
of known hosts.
root@cl1's password:
Last login: Wed Dec 7 03:50:09 2016 from 192.0.2.1
b. Shut down the machine to return to the host.
[root@cl1 ~]# shutdown -P now
Broadcast message from [email protected]
(/dev/pts/0) at 18:00 ...
The system is going down for power off NOW!

Connection to cl1 closed by remote host.
Connection to cl1 closed.

Chapter 1 - Page 4
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 2:
o id
a ilฺc GuBasic
Implementing and
m n t
g dAuthentication
Strong e
@ tu2
h t ica Chapter
s S
p a s
e t hi
( f pra to us
h t ica nse
p a s lice
ra
mur P
Fla
Practices for Lesson 2: Implementing Basic and Strong Authentication

Chapter 2 - Page 1
Practices Overview
In these practices, you implement basic password and OS authentication, secure passwords,
restrict database links, and manage authentication of common and local users in CDBs and
PDBs.
Assumptions
This lesson is performed on the db1 virtual machine using both the orcl instance and the
dbsec instance. Review the lesson titled “Introduction” if you need assistance in starting the
virtual machine.
Unless otherwise indicated, you log in as operating system user oracle.
a ble
Ensure the listener, non-CDB orcl instance, CDB dbsec instance, and pdbsec pluggable
f e r
database are started and available. You may use the courtesy scripts found in
ans
/home/oracle/bin, such as start_listener.sh, start_orcl.sh, and
n - t r
start_dbsec.sh to start the listener and instances.
a no
a s and
If you need to restart the lesson, you may reset using the preset_orcl.sql
h
preset_dbsec.sql scripts that are in the $HOME/labs/USERS )directory.
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P ra
r
mu
Fla

Chapter 2 - Page 2
Practice 2-1: Creating the Security Officer Account
Overview
In this practice, you create the security officer account that has privileges to create user
accounts, grant privileges, and administer fine-grained auditing and fine-grained access control
in the orcl database.

In this and subsequent practices, security is administered by a single user. Be sure to use this
account whenever possible.
Tasks
1. Connect as SYSTEM in the orcl instance to create the SEC user, giving it the following
properties:
− Name is SEC
− Password is oracle_4sec a ble
f e r
− This user must be able to allocate space in the USERS tablespace for security-related
ans
tables and objects.
n - t r
no
− Can create a session and grant the privilege to other users to create a session
a
− Can select from any table in the database, including the SYS schema
h a s
− Can create or drop any context in the database m ) eฺ
o
− Can create, alter, and drop users
a ilฺc Guid
− Can create roles and can alter and drop any g mroles ent
− Can create tables, procedures, and
t i c atriggersS tud the ADMINISTER DATABASE
@ (including
s
TRIGGER privilege, which allows
a h thethuser is to create database triggers)
− Can administer OS file r p through
aaccess s e DIRECTORY objects
− Can administer ( f p
profiles to u
i c a e
a s ht audit
− Can execute
c e s
ncommands
−a Can i
p executelALTER SYSTEM commands (allows the user to change initialization
r
P parameters)
u r
l a m − Can grant and revoke any object privilege
F − Can execute DBMS_SESSION. This privilege is granted from the SYS user to PUBLIC by
default
a. Use the oraenv utility to set the ORACLE_SID environment variable to the orcl value.
The response message may not be identical. However if you are prompted for the
ORACLE_HOME, the requested system identifier is not known, and you should review
your step. The oraenv utility sets the ORACLE_SID, ORACLE_HOME and PATH in the
current terminal window and shell. If you close the terminal window, you should re-run
this step or use your own preferred method to set these environment variables. Also
reinitialize the database to introduce security deficiencies to be found.
$ . oraenv
ORACLE_SID = [orcl] ? orcl
The Oracle base … /u01/app/oracle
$ labs/USERS/preset_orcl.sh >> /dev/null 2>&1
$

Chapter 2 - Page 3
b. Execute the create_sec.sh script. Make sure you are in the ~/labs/USERS
directory. When the script completes, exit from SQL*Plus
$ cd ~/labs/USERS
$ ./create_sec.sh
SQL*Plus: Release 12.1.0.2.0 Production on Fri Jan 20 04:18:51
2017
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 -
64bit Production
a ble
With the Partitioning, Oracle Label Security, OLAP, Advanced f e r
Analytics and Real Application Testing options ans
n - t r
o
SQL> DROP USER sec CASCADE;
s an
DROP USER sec CASCADE
) ha
*
c o m ideฺ
ERROR at line 1:
m ailฺ t Gu
ORA-01918: user 'SEC' does not exist
@ g den
h t ica is Stu
p a s th BY oracle_4sec
SQL> CREATE USER r a
pTABLESPACE
sec e
us USERS
IDENTIFIED
( f t o
t ica UNLIMITED
2 DEFAULT
3 hQUOTA n se ON USERS;
s e
rapa lic
mur P User created.
Fla SQL>
SQL> GRANT create session
2 TO sec
3 WITH ADMIN OPTION;
Grant succeeded.
SQL>
SQL> GRANT select_catalog_role, select any table,
2 create any context, drop any context,
3 create user, alter user, drop user,
4 create role, alter any role, drop any role,
5 create table, create procedure,
6 create any trigger, administer database trigger,

Chapter 2 - Page 4
7 create any directory, alter profile, create profile,
8 drop profile, audit system, alter system,
9 grant any object privilege, grant any privilege,
grant any role
10 TO sec;
Grant succeeded.
SQL>
SQL> GRANT execute on DBMS_SESSION to sec;
Grant succeeded.
a ble
f e r
SQL> GRANT execute on UTL_FILE to sec;
ans
n - t r
Grant succeeded.
a no
h a s
SQL>
m ) eฺ
o uid Edition Release
SQL> EXIT
a ilฺcEnterprise
G
Disconnected from Oracle Database
g m ent
12c
a@ LabeltudSecurity, OLAP, Advanced

12.1.0.2.0 - 64bit Production
With the Partitioning, tOracle i c S
h this Testing options
s
Analytics and RealaApplication
$
f p r ap use
a (immediately
to takes some actions due to basic security issues.
i c
2. The security officer
t eaccounts
hschema e
ns HR, OE, SH, PM, BI, and IX are well known; they should not
Sample
a s c
li needed. If they are not needed, the passwords should be expired and
pinstalled unless
r a
be
u r P the accounts locked when not being used. After a password is marked as expired, the
m password must be changed before the account can be used again.
Fla $ sqlplus sec
Enter password: *******
Connected to:
64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real
Application Testing options
SQL> ALTER USER PM PASSWORD EXPIRE ACCOUNT LOCK;
User altered.
SQL> ALTER USER BI PASSWORD EXPIRE ACCOUNT LOCK;

Chapter 2 - Page 5
User altered.
SQL> ALTER USER IX PASSWORD EXPIRE ACCOUNT LOCK;
User altered.
SQL>
3. Because it is dangerous to work with the UTL_FILE_DIR parameter set to *, you reset the
UTL_FILE_DIR parameter to NULL, so that no one can read from or write to any directory
using the UTL_FILE package. Then you configure the database so that users can write to
the /home/oracle/student directory:
a. Reset the UTL_FILE_DIR parameter to NULL.
a ble
SQL> ALTER SYSTEM SET utl_file_dir='' SCOPE=spfile;
f e r
ans
System altered.
n - t r
n o
s a
SQL> CONNECT / AS SYSDBA
) ha
Connected.
c o m ideฺ
SQL> SHUTDOWN IMMEDIATE
m ailฺ t Gu
Database closed.
@ g den
tica is Stu
Database dismounted.
ORACLE instance shutsh down.
a p a e th
pr started.
us
SQL> STARTUP
ORACLE instance ( f t o
h t ica nse
p a s System
Total l i c e Global Area 501059584 bytes
ra
ur P
Fixed Size 2290024 bytes
m
Fla
Variable Size 264244888 bytes
Database Buffers 226492416 bytes
Redo Buffers 8032256 bytes
Database mounted.
Database opened.
SQL>
b. Configure the database to allow writes using the DIRECTORY objects. Create the
/home/oracle/student directory on the OS. Create a directory object for the
/home/oracle/student directory. You can later grant READ or WRITE privileges
to the directory to certain users.
SQL> !mkdir /home/oracle/student
SQL> CONNECT sec

Connected.

Chapter 2 - Page 6
SQL> CREATE DIRECTORY student AS '/home/oracle/student';
Directory created.
SQL>
c. Test the configuration. The following PL/SQL block writes the current database time
to the db_time.lst file. The PL/SQL block accepts a single parameter: the
uppercase name of the directory object that you want to write to (STUDENT).
SQL> DECLARE
file_handle UTL_FILE.FILE_TYPE;
file_mode VARCHAR2(1) := 'w';
file_name VARCHAR2(15) := 'db_time.lst';
a ble
file_location VARCHAR2(80) := '&1';
f e r
file_data VARCHAR2(100);
ans
BEGIN
n - t r
o
an
file_handle := utl_file.fopen(file_location, file_name,
s
ha
file_mode);
IF utl_file.is_open(file_handle) THEN )
m ideฺ
c o
ailฺ t Gu
file_data := current_timestamp;
m
g den
utl_file.put(file_handle, file_data);
@
ica is Stu
utl_file.fclose(file_handle);
ELSE
s h t
a p a e th
dbms_output.put_line('The file was not opened.');
END IF;( f pr to us
t
END;
h ica nse
p a
/ s lice
ra
ur P
2 3 4 5 6 7 8 9 10 11 12 13 14
15 16 17 Enter value for 1: /home/oracle
m
Fla old 5: file_location VARCHAR2(80) := '&1';
new 5: file_location VARCHAR2(80) := '/home/oracle';
DECLARE
*
ERROR at line 1:
ORA-29280: invalid directory path
ORA-06512: at "SYS.UTL_FILE", line 41
ORA-06512: at "SYS.UTL_FILE", line 478
ORA-06512: at line 8
SQL>

Chapter 2 - Page 7
Notice the error. The /home/oracle OS directory is not a directory object defined in
the database. Use a directory defined in the database.
SQL> DECLARE
file_handle UTL_FILE.FILE_TYPE;
file_mode VARCHAR2(1) := 'w';
file_name VARCHAR2(15) := 'db_time.lst';

file_data VARCHAR2(100);
BEGIN
file_handle := utl_file.fopen(file_location, file_name,
file_mode);
IF utl_file.is_open(file_handle) THEN
a ble
file_data := current_timestamp;
f e r
utl_file.put(file_handle, file_data);
ans
utl_file.fclose(file_handle);
n - t r
o
an
ELSE
ha s
dbms_output.put_line('The file was not opened.');
END IF; )
m ideฺ
c o
ailฺ t Gu
END;
/ m
g den
@
ica is Stu
Enter value for 1: STUDENT
old 5:
s h t
new 5:
a p a e
file_locationth VARCHAR2(80) := 'STUDENT';
( f pr to us
ca nse successfully completed.
PL/SQLtiprocedure
h
p a s lice
ra
ur P
SQL>
m d. Verify that the db_time.lst file is written to the directory after executing the
Fla PL/SQL block.
SQL> HOST cat /home/oracle/student/db_time.lst
05-JUL-13 10.01.49.700632000 AM +00:00
SQL>
4. Do any users in your database have the DBA role, SYSOPER, SYSDBA, SYSKM, SYSDG, or
SYSBACKUP privilege that they do not need? Fix this problem.
a. Find users who are granted the DBA role by querying the DBA_ROLE_PRIVS
view.
SQL> COL grantee FORMAT a12
SQL> COL granted_role FORMAT a12
SQL> SELECT * FROM dba_role_privs WHERE granted_role='DBA';
GRANTEE GRANTED_ROLE ADM DEL DEF COM

------------ ------------ --- --- --- ---

Chapter 2 - Page 8
SCOTT DBA NO NO YES NO
SYSTEM DBA NO NO YES YES
SYS DBA YES NO YES YES
SQL>
b. SCOTT has no need for the DBA role because this is a demo account that has
been locked and the password expired. Revoke the DBA role from SCOTT. To
revoke a role, you must have been granted the role with ADMIN OPTION. You
can revoke any role if you have the GRANT ANY ROLE system privilege.
SQL> REVOKE DBA FROM scott;
Revoke succeeded.
a ble
SQL> SELECT * FROM dba_role_privs WHERE granted_role='DBA';
f e r
ans
GRANTEE GRANTED_ROLE ADM DEL DEF COM
n - t r
------------ ------------ --- --- ---
a no---
SYSTEM DBA NO NO
h a s
YES YES
SYS DBA YES NO
m ) eฺYES YES
o
a ilฺc Guid
SQL>
g m ent
c. Users with the SYSDBA or c
t i a@ Sprivilege
SYSOPER tud are listed in the oracle password
file. SCOTT and HR have
a s h no need
t h isfor these privileges. Only SYSDBA can GRANT
or REVOKE these
f p r ap use
privileges.
(
SQL> COL username
a toFORMAT a12
i c e
t e*nsFROM v$pwfile_users;
SQL> hSELECT
a s
rapUSERNAME lic SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM
ur P
CON_ID
------------ ----- ----- ----- ----- ----- ----- ----------
m
Fla SYS TRUE TRUE FALSE FALSE FALSE FALSE 0
SYSDG FALSE FALSE FALSE FALSE TRUE FALSE 0
SYSBACKUP FALSE FALSE FALSE TRUE FALSE FALSE 0
SYSKM FALSE FALSE FALSE FALSE FALSE TRUE 0
SCOTT TRUE FALSE FALSE FALSE FALSE FALSE 0
HR FALSE TRUE FALSE FALSE FALSE FALSE 0
6 rows selected.
SQL> REVOKE SYSOPER FROM hr;

REVOKE SYSOPER FROM hr
*
ERROR at line 1:
ORA-01031: insufficient privileges

Chapter 2 - Page 9
Connected.
SQL> REVOKE SYSOPER FROM hr;
Revoke succeeded.
SQL> REVOKE SYSDBA FROM scott;
Revoke succeeded.
SQL>
SQL> SELECT * FROM v$pwfile_users;
a ble
f e r
USERNAME SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM CON_ID
ans
------------ ----- ----- ----- ----- -----
n -
----- ---------t r
SYS TRUE TRUE FALSE FALSE
a no FALSE FALSE 0
SYSDG FALSE FALSE FALSE
h a s
FALSE TRUE FALSE 0
SYSBACKUP FALSE FALSE FALSE m ) eฺ TRUE FALSE FALSE 0
o
SYSKM FALSE FALSE
a ilฺc Guid
FALSE FALSE FALSE TRUE 0
g m ent
SQL>
t i c a@ Stud
s
5. Do any users in your database have
a h the tRESOURCE
h is role? If there are some users being
granted the RESOURCE role,
f p r apcheckuthat
s e the UNLIMITED TABLESPACE system privilege is
a (
not granted. In Oracle Database
t o 12c, the RESOURCE role is not granted the UNLIMITED
c nprivilege
TABLESPACEtisystem
h se anymore.
s
a. a As SEC,
p UNLIMITED e
liccheckTABLESPACE
which users have the combination of the RESOURCE role and the
P r a system privilege.
r
mu SQL> CONNECT sec
Fla Enter password: *******
Connected.
SQL> column grantee format a20
SQL> SELECT grantee, privilege, granted_role
FROM dba_sys_privs JOIN dba_role_privs USING (grantee)
WHERE granted_role='RESOURCE'
AND privilege = 'UNLIMITED TABLESPACE'
ORDER BY grantee;
GRANTEE PRIVILEGE GRANTED_ROLE

-------------- -------------------- ---------------------
APEX_040200 UNLIMITED TABLESPACE RESOURCE
BI UNLIMITED TABLESPACE RESOURCE
CTXSYS UNLIMITED TABLESPACE RESOURCE

Chapter 2 - Page 10
DVSYS UNLIMITED TABLESPACE RESOURCE
HR UNLIMITED TABLESPACE RESOURCE
IX UNLIMITED TABLESPACE RESOURCE
LBACSYS UNLIMITED TABLESPACE RESOURCE
MDSYS UNLIMITED TABLESPACE RESOURCE
OE UNLIMITED TABLESPACE RESOURCE

OJVMSYS UNLIMITED TABLESPACE RESOURCE
OUTLN UNLIMITED TABLESPACE RESOURCE
PM UNLIMITED TABLESPACE RESOURCE
SH UNLIMITED TABLESPACE RESOURCE
SYS UNLIMITED TABLESPACE RESOURCE
XDB UNLIMITED TABLESPACE RESOURCE
a ble
15 rows selected.
f e r
ans
SQL>
n - t r
b. no
Find other users who may be granted the UNLIMITED TABLESPACE privilege by
a
querying the DBA_SYS_PRIVS view.
h a s
SQL> SELECT grantee FROM dba_sys_privs m) ฺ
c o i d e
lฺ Gu
WHERE privilege = 'UNLIMITED iTABLESPACE'
a grantee
AND
g
grantee NOT IN (SELECT m e n t
FROM dba_sys_privs aJOIN
t i c S t ud
@ dba_role_privs USING (grantee)
s h this
WHERE granted_role='RESOURCE'
a
AND
r ap u=se'UNLIMITED TABLESPACE')
privilege
f p
ORDER (BY grantee;
i c a e to
a s ht 3 ce4ns 5 6
rap 2 li
ur P
GRANTEE
m --------------------
Fla DBSNMP
ORDDATA
ORDSYS
SI_INFORMTN_SCHEMA
SYSBACKUP
SYSTEM
TOM
WMSYS
8 rows selected.
SQL>

Chapter 2 - Page 11
c. If necessary, revoke the UNLIMITED TABLESPACE privilege from the TOM user.
SQL> REVOKE unlimited tablespace FROM tom;
Revoke succeeded.
SQL> EXIT
$
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 2 - Page 12
Practice 2-2: Managing Secure Passwords
Overview
In this practice, a security officer ensures that the use of simple passwords is not possible and
that all users follow strong password management rules. Oracle Database 12c provides
password management by default with one of the three password verification functions effective
by default.
Tasks
1. Determine what limits are applied with the DEFAULT profile. Then, set up password
management by performing the following steps:
a. Preset the default profile to a known set of limits and list the rows related to
password management from the current profiles in the system. Use the SEC account.
Save the command that you use.
$ sqlplus sec
a ble
Enter password: ****** f e r
ans
n - t r
Connected to: o
an
s
64bit Production
) ha
o m ideฺ
With the Partitioning, Oracle Label Security, OLAP, Advanced
c
ailฺ t Gu
Analytics and Real Application Testing options
m
SQL> ALTER PROFILE DEFAULT LIMIT
@ g den
PASSWORD_LIFE_TIME 180
h t ica is Stu
PASSWORD_GRACE_TIME 7
p a s th
a
pr to us
PASSWORD_REUSE_TIME UNLIMITED e
( f
PASSWORD_REUSE_MAX UNLIMITED
h t ica nse
FAILED_LOGIN_ATTEMPTS 10
p a s lice
PASSWORD_LOCK_TIME 1
ra
ur P
;
m
Fla
2 3 4 5 6 7 8
Profile altered.
SQL> set pagesize 40

SQL> col profile format A10
SQL> col limit format A22
SQL> col resource_name format A25
SQL> SELECT profile, resource_name, limit
FROM dba_profiles
WHERE PROFILE = 'DEFAULT'
AND resource_type = 'PASSWORD';
2 3 4
PROFILE RESOURCE_NAME LIMIT
---------- ------------------------ ----------------------
DEFAULT FAILED_LOGIN_ATTEMPTS 10

Chapter 2 - Page 13
DEFAULT PASSWORD_LIFE_TIME 180
DEFAULT PASSWORD_REUSE_TIME UNLIMITED
DEFAULT PASSWORD_REUSE_MAX UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION NULL
DEFAULT PASSWORD_LOCK_TIME 1
DEFAULT PASSWORD_GRACE_TIME 7
7 rows selected.
SQL> SAVE $HOME/labs/default_profile.sql REPLACE

Wrote file /home/oracle/labs/default_profile.sql
SQL> EXIT
a ble
$
f e r
b. Because the password verification function must be owned by SYS, connect as the
ans
SYS user and verify that the default profile is assigned to all users to apply one of the n - t r
no
three available password verification functions. Read each of them and choose the
a
h a s
strongest one. The script explains in the last part how to apply one of the three verify
functions to the DEFAULT profile.
m ) eฺ
o
$ cd $ORACLE_HOME/rdbms/admin
a ilฺc Guid
$ cat utlpwdmg.sql
g m ent
…
t i c a@ Stud - provided from 12c
a s h this
Rem Function: "ora12c_verify_function"
ap use
onwards
Rem
( f p r
c a e o the minimum complexity checks like
tmakes
i
ht minimum
Rem This
ns length of the password, password not same as the
function
Remsthe e
a li
apRem username,c
r etc. The user may enhance this function according
ur P to
F lam Rem the need.

Rem This function must be created in SYS schema.
Rem connect sys/<password> as sysdba before running the script
CREATE OR REPLACE FUNCTION ora12c_verify_function

(username varchar2,
password varchar2,
old_password varchar2)
…
Rem Function: "ora12c_strong_verify_function" - provided from12c
onwards for
Rem stringent password check requirements.
Rem
Rem This function is provided to give stronger password
complexity function

Chapter 2 - Page 14
Rem that would take into consideration recommendations from
Department of
Rem Defense Database Security Technical Implementation Guide.
CREATE OR REPLACE FUNCTION ora12c_strong_verify_function

(username varchar2,
password varchar2,
RETURN boolean IS
differ integer;
…
Rem Function: "verify_function_11G" - provided from 11G onwards.
Rem a ble
f e r
Rem This function makes the minimum complexity checks like
ans
Rem the minimum length of the password, password not same as the
n - t r
no
Rem username, etc. The user may enhance this function according
a
to
h a s
Rem the need.
m ) eฺ
o
a ilฺc Guid
m ent
CREATE OR REPLACE FUNCTION verify_function_11G
g
(username varchar2,
t i c a@ Stud
password varchar2,
a s h this
ap use
… f p r
( alters
a
-- Thisicscript e to the default parameters for Password
s ht cens
Management
a
r li
ap-- This means that all the users on the system have Password
mur P Management
Fla
-- enabled and set to the following values unless another
profile is
-- created with parameter values set to different value or
UNLIMITED
-- is created and assigned to the user.
ALTER PROFILE DEFAULT LIMIT

PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;

Chapter 2 - Page 15
/**
The below set of password profile parameters would take into
consideration
recommendations from Center for Internet Security[CIS Oracle
11g].
ALTER PROFILE DEFAULT LIMIT

PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 20
a ble
f e r
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
ans
*/
n - t r
o
/** s an
) ha
The below set of password profile parameters would take into
c o m ideฺ
ailฺ t Gu
consideration recommendations from Department of Defense
Database
m
g den
Security Technical Implementation Guide[STIG v8R1].
@
h t ica is Stu
ALTER PROFILE DEFAULT
p a s LIMITth
PASSWORD_LIFE_TIME
f p r a 60use
a ( to 365
c
PASSWORD_REUSE_TIME
i
ht cens e
p a s
PASSWORD_REUSE_MAX
l i
5
ra FAILED_LOGIN_ATTEMPTS 3
ur P PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function;
F lam $
c. Using SQL*Plus, connect to the database AS SYSDBA and verify that the three
password verification functions are not created yet.
$ sqlplus / AS SYSDBA
Connected to:
64bit Production
SQL> SET ECHO ON
SQL> SELECT object_name, object_type
FROM dba_objects
WHERE object_name LIKE '%VERIFY_FUNCTION%';
2 3

Chapter 2 - Page 16
OBJECT_NAME
----------------------------------------------------------------
----------------
OBJECT_TYPE
-----------------------
ORA12C_STRONG_VERIFY_FUNCTION
FUNCTION
SQL> SELECT LIMIT from dba_profiles

where profile = 'DEFAULT'
and resource_name = 'PASSWORD_VERIFY_FUNCTION';
2
LIMIT a ble
f e r
--------------------------------------------------------------
ans
NULL
n - t r
a no
SQL>
h a s
Note: If the database had been created without DBCA, it is m ) that
possible
e ฺ no verify functions
o
have been loaded.
a ilฺc Guid
g m ent
Alter the DEFAULT profile to apply the strong
c athe@ d
passworduverification
t the function chosen in task b.
Beware that all new accounts will be under t i
h andthassign S
rules of new password
is another password verify verify function. If you
p s
do not want this situation, create aaprofile function to the
new profile. This allows you p r
toakeep the
u s e profile with the basic password verify
function. (
a se tf o
DEFAULT
t i
h cen c
p a s li functions.
r a
d. Create the
u rP
m SQL> @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
Fla
Function created.
Function created.
Function created.
Grant succeeded.
Function created.

Chapter 2 - Page 17
Grant succeeded.
Function created.
Grant succeeded.
Function created.
a ble
f e r
ans
Grant succeeded.
n - t r
o
s an
) ha
Profile altered.
c o m ideฺ
ailฺ t Gu
The output has been modified to show only the results.
m
@ g den
t i a Saretucreated.
e. Verify that the password verifycfunctions
h
SQL> col OBJECT_NAMEs formathA38
a t is
SQL> col OBJECT_TYPE
f p r ap uformat
s e A20
SQL> SELECT a ( object_name,
to object_type
t i c s e
p a shFROM l i c n
eobject_name
dba_objects
P r a WHERE LIKE '%VERIFY_FUNCTION%';

r
mu
2 3
Fla OBJECT_NAME OBJECT_TYPE

---------------------------------------- --------------------
ORA12C_VERIFY_FUNCTION FUNCTION
ORA12C_STRONG_VERIFY_FUNCTION FUNCTION
VERIFY_FUNCTION_11G FUNCTION
VERIFY_FUNCTION FUNCTION
SQL>

Chapter 2 - Page 18
f. Update the DEFAULT profile with the password verify function.
SQL> ALTER PROFILE default LIMIT
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function;
2
Profile altered.
SQL>
g. View the changes applied. Repeat the command from step 2a as the SEC user and
note the differences.
SQL> CONNECT SEC
Enter password: ******
Connected.
a ble
SQL> COL profile format A7
f e r
SQL> COL resource_name format A32
ans
SQL> COL limit format A30 n - t r
SQL> SELECT profile, resource_name, limit a no
FROM dba_profiles
h a s
m ) eฺ
WHERE PROFILE = 'DEFAULT'
o
a
AND resource_type = 'PASSWORD'; ilฺc Guid
g m ent
PROFILE RESOURCE_NAME ca@ d
tuLIMIT
t i S
h this -----------------------
a s
------- ------------------------
f p r ap use
(
a se t o
DEFAULT PASSWORD_LIFE_TIME 180
t i
h cenc
a s
DEFAULT PASSWORD_REUSE_TIME
li
UNLIMITED
rapDEFAULT PASSWORD_REUSE_MAX UNLIMITED
mur P DEFAULT PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION
Fla
7 rows selected.
SQL>
h. Create a user and verify that the password is secure with the verify function applied
in the profile.
SQL> CREATE USER ann IDENTIFIED BY xxx12345;
CREATE USER ann IDENTIFIED BY xxx12345
*
ERROR at line 1:
ORA-28003: password verification for the specified password
failed
ORA-20001: Password length less than 9

Chapter 2 - Page 19
SQL> CREATE USER ann IDENTIFIED BY A_xxx12345667890???!!!_yyy;
CREATE USER ann IDENTIFIED BY A_xxx12345667890???!!!_yyy
*
ERROR at line 1:
ORA-00911: invalid character
SQL> CREATE USER ann IDENTIFIED BY A_xxx12345667890_yyy;

CREATE USER ann IDENTIFIED BY A_xxx12345667890_yyy
*
ERROR at line 1:
failed a ble
f e r
ORA-20023: Password must contain at least 2 uppercase
ans
character(s)
n - t r
o
SQL> CREATE USER ann IDENTIFIED BY A_xxx12345667890_Yyy;
s an
) ha
User created.
c o m ideฺ
m ailฺ t Gu
SQL>
@ g den
2. t
What happens to the SYS user whenicaheialters
S u own password?
this
s h s
SQL> CONNECT / ASpa SYSDBA th
Connected. (fpr
a use
i c a e to IDENTIFIED BY oracle_4U;
s t ens
SQL> ALTER
haltered.
USER sys
a
User
ap lic
r
ur P SQL>
F lam Notice that SYS is not under the rules of any password checking function even if
defined in the DEFAULT profile.
3. What happens to a user being granted the SYSDBA privilege when he alters his own
password?
SQL> GRANT sysdba TO tom;
Grant succeeded.
SQL> CONNECT tom AS SYSDBA

Connected.
SQL> ALTER USER tom IDENTIFIED BY oracle_4U;
ALTER USER tom IDENTIFIED BY oracle_4U
*
ERROR at line 1:

Chapter 2 - Page 20
failed
ORA-20023: Password must contain at least 2 uppercase
character(s)
SQL> ALTER USER tom IDENTIFIED BY Strong_pass_6W;

ALTER USER tom IDENTIFIED BY Strong_pass_6W

*
ERROR at line 1:
failed
ORA-20025: Password must contain at least 2 digit(s)
a ble
SQL> ALTER USER tom IDENTIFIED BY Strong_pass_65W;
f e r
ans
n - t r
no
User altered.
s a
h a
m) ifunction
SQL>
o
Notice that TOM falls under the rules of the passwordcchecking d e ฺ defined in the
DEFAULT profile even if being granted the SYSDBA
m ailฺprivilege.
t G u
@ g den
4. t ica toisNULL
Set the password verification function S tinu the DEFAULT profile. In a production
environment, the password a s h hfunction should be set to a password verification
tuse
verification
a p e
remembrance. (f
pr to us
function in the DEFAULT profile. You simple passwords in the course for ease of
t ica n/sAS
SQL> hCONNECT
e SYSDBA
a s
pConnected. lic e
r a
u r P SQL> ALTER PASSWORD_LIFE_TIME
PROFILE default LIMIT
m unlimited
Fla FAILED_LOGIN_ATTEMPTS unlimited
PASSWORD_VERIFY_FUNCTION null;
2 3 4
Profile altered.
SQL>
5. Reset the password of TOM to its initial value and revoke the SYSDBA.
SQL> ALTER USER tom IDENTIFIED BY oracle_4U;
User altered.
SQL> REVOKE sysdba FROM tom;
Revoke succeeded.

Chapter 2 - Page 21
SQL> EXIT
$
6. The security officer now defines different DEFAULT profiles within pdb1 and pdb2
setting the following password limits:
− In pdb1: A lifetime period set to 1 minute (for the purpose of this practice) and no
password verify function
− In pdb2: Account locked after 2 failed login attempts only and the password verify
function set to ora12c_strong_verify_function
a. Set ORACLE_SID and ORACLE_HOME to point to the CDB instance.
$ . oraenv
ORACLE_SID = [orcl] ? dbsec
a ble
The Oracle base … /u01/app/oracle
f e r
$ sqlplus / as sysdba
ans
n - t r
Connected to:
a no
h a s
64bit Production
m ) eฺ
o
ilฺc Guid
a
g m ent
SQL>
t i c a@ Stud
b. Check whether the PDBs
a s h aretopened.
h isall each
If one, or both, are not opened
(MOUNTED), you
r a p one
can open
s e them time the instance is restarted. The
( f p to u
following demonstrates PDB open and one mounted.
t ica name,
SQL> select
h n s e open_mode from v$pdbs;
p a s lice
ra NAME
ur P
OPEN_MODE
------------------------------ ----------
m
Fla PDB$SEED READ ONLY
PDB1 READ WRITE
PDB2 MOUNTED
You can open all PDBs by using the alter command, or create a trigger to open all
when the instance is started. Do this only if needed.
Discuss the security advantages and disadvantages of using a trigger.
SQL> alter pluggable database all open;
Pluggable database altered.
SQL>CREATE TRIGGER open_all_PDBs

AFTER STARTUP ON DATABASE

Chapter 2 - Page 22
begin
execute immediate 'alter pluggable database all open';
end open_all_PDBs;
/
Trigger created.
SQL>
7. Alter the DEFAULT profile in the PDBs and verify the profile in the root container.
a. Connect to pdb1 as SYSTEM to alter the DEFAULT profile.
SQL> CONNECT system@pdb1
a ble
Connected.
f e r
ans
PASSWORD_LIFE_TIME 1/1440 n - t r
PASSWORD_VERIFY_FUNCTION null; a no
2 3
h a s
m ) eฺ
Profile altered.
o
a ilฺc Guid
SQL> COL profile format A7 g m ent
SQL> COL resource_name format
t i c a@ A32
S tud
SQL> COL limit format
a s hA30 this
r ap use
SQL> @$HOME/labs/default_profile.sql
f p
a ( t o
i c
ht RESOURCE_NAME
PROFILE
ns e LIMIT
a s li c e
rap
------- ----------------------------- -----------------------
ur P
DEFAULT FAILED_LOGIN_ATTEMPTS UNLIMITED
m DEFAULT PASSWORD_LIFE_TIME .0006
Fla DEFAULT PASSWORD_REUSE_TIME UNLIMITED
7 rows selected.
SQL>

Chapter 2 - Page 23
b. Connect to pdb2 as SYSTEM to alter the DEFAULT profile.
Connected.
2 3 ALTER PROFILE default LIMIT

*
ERROR at line 1:
ORA-07443: function ORA12C_STRONG_VERIFY_FUNCTION not found
a ble
SQL> CONNECT sys@pdb2 AS SYSDBA
f e r
ans
Connected.
n - t r
o
SQL> @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
s an
) ha
Function created.
c o m ideฺ
m ailฺ t Gu
@ g den
Function created.
h t ica is Stu
p a s th
a
pr to us e
( f
ica nse
Function created.
h t
s lice
a p a
r
ur P
Grant succeeded.
m
Fla
Function created.
Grant succeeded.
Function created.
Grant succeeded.
Function created.

Chapter 2 - Page 24
Grant succeeded.
Profile altered.
SQL> CONNECT sys@pdb2 AS SYSDBA

Connected.
a ble
f e r
2 3
ans
Profile altered.
n - t r
a no
h a s
LIMITom
) eฺ
ilฺc Guid
PROFILE RESOURCE_NAME
a
------- ------------------------ -----------------------
t
DEFAULT FAILED_LOGIN_ATTEMPTS gm 10 en
DEFAULT PASSWORD_LIFE_TIME
t i c a@180Stud
DEFAULT PASSWORD_REUSE_TIMEa s h this UNLIMITED
p r ap use UNLIMITED
DEFAULT PASSWORD_REUSE_MAX
f
a ( to
t i c s e
DEFAULT PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION
p a sh PASSWORD_LOCK_TIME
DEFAULT
l i c en 1
ra DEFAULT PASSWORD_GRACE_TIME 7
mur P
Fla 7 rows selected.
SQL>

Chapter 2 - Page 25
c. Connect to the root container of dbsec as SYSTEM and display the DEFAULT
profile.
SQL> CONNECT system
Connected.
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
PROFILE RESOURCE_NAME LIMIT

a ble
------- ---------------------------- ------------------- f e r
ans
n - t r
DEFAULT PASSWORD_LIFE_TIME 180 o
DEFAULT PASSWORD_REUSE_TIME UNLIMITED
s an
) ha
c o m ideฺ
DEFAULT PASSWORD_LOCK_TIME
m ailฺ t Gu
1
DEFAULT PASSWORD_GRACE_TIME
@ g den
7
h t ica is Stu
7 rows selected. as th
a p e
( f pr to us
icthea rootncontainer
SQL>
h t
Notice that
s e se has its own DEFAULT profile.
rapa lic
mur P
Fla

Chapter 2 - Page 26
d. Set the password verification function to NULL in the DEFAULT profile. Set the
password lifetime to unlimited so that passwords do not expire during the course.
You use simple passwords in the course for ease of remembrance.
FAILED_LOGIN_ATTEMPTS unlimited
PASSWORD_LIFE_TIME unlimited
2 3 4
Profile altered.

Connected.
a ble
f e r
FAILED_LOGIN_ATTEMPTS unlimited
ans
PASSWORD_LIFE_TIME unlimited
n - t r
o
s an
2 3 4
) ha
Profile altered.
c o m ideฺ
m ailฺ t Gu
@ g den
ica is Stu
Enter password:
Connected.
s h t
SQL> ALTER PROFILEadefault
a p e thLIMIT
p r
FAILED_LOGIN_ATTEMPTS
( f u s unlimited
c a se t
PASSWORD_LIFE_TIME o unlimited
t i
p a sh PASSWORD_VERIFY_FUNCTION
l i c e n null;
ra 2 3 4
ur P Profile altered.
F lam
SQL> EXIT
$

Chapter 2 - Page 27
Practice 2-3: Using Basic OS Authentication Method
Overview
In this practice, in a first step, you explore basic authentication techniques for implementing a
no-password login and the weaknesses of this method.
Assumptions
In your company, there are several situations that require exceptions to the standard password
policies. Batch jobs should not have passwords embedded in the script or command line. This
practice uses the orcl instance. Code may be found in the $HOME/labs/USERS directory.
Tasks
1. A batch job that runs as the fred operating system user should be able to connect to the
database as the FRED database user without having to embed the database password in
a ble
the batch file. f e r
ans
Configure OS_AUTHENT_PREFIX to allow the OS user and database user to have the
n - t r
a no
same string. What is the default value of OS_AUTHENT_PREFIX? Is it a static parameter?
Connect to the database as the SYS user. Set the OS_AUTHENT_PREFIX parameter to ''.”
h a s
$ . oraenv
m ) eฺ
o
a ilฺc Guid
The Oracle base for
g m ent
a @ t u d
ORACLE_HOME=/u01/app/oracle/product/12.1.0/dbhome_1 is
/u01/app/oracle
s h tic is S
a p a e th
Connectedato: (fpr to us
h c nse12c Enterprise Edition Release 12.1.0.2.0
tiDatabase
p a s
Oracle
l i c e -
ra 64bit Production
ur P
m Analytics and Real Application Testing options
Fla
SQL> show parameter OS_AUTHENT_PREFIX
NAME TYPE VALUE

-------------------------- ---------- -----
os_authent_prefix string ops$
SQL>
SQL> column value format A10
SQL> column name format A24
SQL> select name, value, isdefault, ISSYS_MODIFIABLE
from v$parameter
where name = 'os_authent_prefix';
2 3
NAME VALUE ISDEFAULT ISSYS_MOD
-------------------------- ---------- --------- ---------

Chapter 2 - Page 28
os_authent_prefix ops$ TRUE FALSE
SQL> ALTER SYSTEM SET OS_AUTHENT_PREFIX='';

ALTER SYSTEM SET OS_AUTHENT_PREFIX=''
*
ERROR at line 1:
ORA-02095: specified initialization parameter cannot be modified
SQL> ALTER SYSTEM SET OS_AUTHENT_PREFIX='' SCOPE=SPFILE;
System altered.
a ble
f e r
Database closed.
ans
n - t r
o
ORACLE instance shut down.
s an
SQL>
) ha
SQL> STARTUP
c o m ideฺ
ORACLE instance started.
m ailฺ t Gu
@ g dbytes e n
Total System Global Area a501059584
t ic2289400
S u
tbytes
Fixed Size h s
thi bytes
s 264241416
Variable Size apa e
(
Database Buffers f pr to us226492416 bytes
h t ica nse
a s c e
limounted.
rapDatabase
ur P
Database opened.
m SQL>
Fla 2. Create the database user FRED, using the IDENTIFIED EXTERNALLY clause. Allow
FRED to connect to the database.
As the SEC user, create the FRED user and grant the CREATE SESSION privilege.
SQL> CONNECT SEC
Enter password: *****
Connected.
SQL>
SQL> CREATE USER FRED IDENTIFIED EXTERNALLY;
User created.
SQL>
SQL> GRANT CREATE SESSION TO FRED;

Chapter 2 - Page 29
Grant succeeded.
SQL> ALTER USER FRED

DEFAULT TABLESPACE USERS
QUOTA UNLIMITED ON USERS;
2 3
User altered.
SQL> EXIT
$
3. Test the connection as the fred user. Log in to the OS as the fred user. (If the OS
user fred does not exist, run the $HOME/labs/USERS/create_osuser_fred.sh
script.) The OS password for fred is oracle. Set the environment variables, and note
a ble
that the oraenv command may provide extra information as the user is not part of the f e r
DBA group. Connect to the database with the “/” connect string. ans
n - t r
o
an
$ su - fred
Password: *****
ha s
$ . oraenv )
m ideฺ
c o
ailฺ t Gu
ORACLE_SID = [fred] ? orcl
m
ORACLE_BASE environment variable is not being set since this
g den
@
information is not available for the current user ID fred.
h t ica is Stu
You can set ORACLE_BASE manually if it is required.
p a s th
Resetting ORACLE_BASE to its previous value or ORACLE_HOME
a
pr to us e
( f
The Oracle base has been set to
h t ica nse
/u01/app/oracle/product/12.1.0/dbhome_1
p a s lice
$ sqlplus /
ra
ur P Connected to:
F lam Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 -

64bit Production
SQL> SHOW USER

USER is "FRED"
SQL> EXIT
$ exit
logout
$
Notice that any connection using an OS or password authentication provides the “Last
Successful Logon Time” for non-SYS users. You can see it in the SQL*Plus banner. You
will see the message when you connected at least once before.

Chapter 2 - Page 30
Practice 2-4: Observing Passwords in Database Links
Overview
In this practice, you explore the protection of passwords for database links in Oracle Database
12c. Switch your environment, using oraenv, to point to the dbsec instance.
Tasks
1. Create and test a database link in the PDB1 pluggable database. Log in as the oracle
OS user. As the SYSTEM database user, create a database link for the HR user to the
ORCL database. (Hint: Verify that both instances are up, and that PDB1 is open.)
CREATE PUBLIC DATABASE LINK test_hr
CONNECT TO hr IDENTIFIED BY oracle_4U
USING 'ORCL';
a ble
f e r
Note: Only users with the CREATE PUBLIC DATABASE LINK privilege can execute this ans
command. n - t r
$ echo $ORACLE_SID a no
dbsec h a s
m ) eฺ
$ sqlplus system@pdb1
o
Enter password: ****** a ilฺc Guid
g m ent
Connected to:
t i c a@ Stud
Oracle Database 12c a s h this Edition Release 12.1.0.2.0
Enterprise -
64bit Production
f p r ap use
a (
With the Partitioning, to options
OLAP, Advanced Analytics and Real
i c
ht cens
Application e
Testing
a s li
ap
SQL>
r
ur P
SQL> CREATE PUBLIC DATABASE LINK test_hr
m CONNECT TO hr IDENTIFIED BY oracle_4U
Fla USING 'ORCL';
2 3
Database link created.
SQL>
2. Test the database connection as the SCOTT database user by selecting from the
EMPLOYEES table through the database link.
Any database user can use this database link because it is declared PUBLIC.
Connected as SYSTEM, open the SCOTT account, and then test the database link.
SQL> ALTER USER scott IDENTIFIED BY oracle_4U ACCOUNT UNLOCK;
User altered.
SQL> connect scott@pdb1

Chapter 2 - Page 31
Connected.
SQL> select max(salary) from employees@test_hr;

MAX(SALARY)
-----------
24000
SQL>
3. View the data dictionary information about the database link. Note the Database Link
may include the EXAMPLE.COM domain. Find the username and password as they are
stored in the database.
a ble
a. Connect as SYSTEM and query the DBA_DB_LINKS view for database link f e r
ans
information.
n - t r
o
an
ha s
Connected. )
m ideฺ
c o
ailฺ t Gu
SQL> COL username FORMAT A16
SQL> COL owner FORMAT A16
m
g den
SQL> COL db_link FORMAT A16 @
h t ica is Stu
SQL> SELECT owner, db_link, username FROM DBA_DB_LINKS;
p a s th
a
pr DB_LINK
us e
OWNER
( f t o USERNAME
t ica nse ---------------- ----------------

----------------
h
a s lice TEST_HR
PUBLIC
p HR
ra
m ur P SQL> SELECT name, authusr, authpwd, passwordx, authpwdx
Fla FROM SYS.LINK$;
2 FROM LINK$
*
ERROR at line 2:
SQL>
The SYSTEM user is granted the SELECT ANY DICTIONARY privilege but cannot view
the SYS.LINK$ table.

Chapter 2 - Page 32
4. View the base SYS table for the database links. As the SYS user, view the LINK$ table.
Is the password visible in this table? Describe the table to view all columns. Query the
table to view passwords. Note that all passwords are encrypted. None are stored in clear
text.
SQL> CONNECT / as sysdba
Connected.
SQL> desc link$
Name Null? Type

-------------------------- -------- -------------------
OWNER# NOT NULL NUMBER
NAME NOT NULL VARCHAR2(128)
CTIME NOT NULL DATE a ble
f e r
HOST VARCHAR2(2000)
ans
USERID VARCHAR2(128)
n - t r
PASSWORD VARCHAR2(128)
a no
FLAG NUMBER
h a s
AUTHUSR ) eฺ
VARCHAR2(128)
m
o
AUTHPWD
ilฺc Guid
VARCHAR2(128)
a
PASSWORDX
g m ent
RAW(128)
AUTHPWDX
t i c a@ Stud
RAW(128)
SQL> SELECT name,pa

sh
authusr,th
is
f p r a use authpwd, passwordx, authpwdx
(
FROM LINK$;
a to
2 i c
ht cens e
noas
rap li
rows selected
m ur P SQL>
Fla Note that you are connected to the root container. You created the database link in the
PDB1 container. Use either the ALTER SESSION or CONNECT to switch containers.
Note that the passwordx and authpwdx columns are represented as hex numbers and
may be different in your environment.
SQL> ALTER SESSION SET CONTAINER=PDB1;
Session altered.
SQL> # Use the above ALTER SESSION *OR* the following CONNECT
SQL> CONNECT sys@pdb1 as sysdba
Connected.
SQL> SELECT name, authusr, authpwd, passwordx, authpwdx


Chapter 2 - Page 33
FROM LINK$;
2
NAME
--------------------------------------------------------
AUTHUSR
--------------------------------------------------------
AUTHPWD
--------------------------------------------------------
PASSWORDX
--------------------------------------------------------
AUTHPWDX
a ble
--------------------------------------------------------
f e r
TEST_HR
ans
n - t r
a no
a
07C3AA3161B61534381479C836FC0B4681E68548F32D28845EC40B1A
h s
m ) eฺ
o
7A4A5421A6D84FE46C53B1E374BF928D0ED35AE8B1E4D9CC5E08A1F7
a ilฺc Guid
13471B9CB6C61ED3345FC4D8C75504AA127AD3EB564FA583EE3117BB
g m ent
37209801CA3F0156C5360F0C2A14A261D6380A100F1ED93257D72C4D
ED56E34907B613BCC96C0AB90F1D9E6
t i c a@ Stud
a s h this
f p r ap use
SQL> a ( to
i c
ht cens e
a s li
rap
mur P
Fla

Chapter 2 - Page 34
Practice 2-5: Restricting Database Links With Views
Overview
In this practice, you restrict the access to tables in the HR schema authorized by the
hrviewlink database link.
Tasks
1. While you are still connected to pdb1, create the MIKE user and grant him the HR_MGR
role. This may be done as SYS, SYSTEM, or an account such as SEC which was created
in the orcl instance. Discuss the implications of using each one.
SQL> SET ECHO ON
SQL> DROP ROLE HR_MGR;
DROP ROLE HR_MGR
a ble
* f e r
ans
ERROR at line 1:
n - t r
ORA-01919: role 'HR_MGR' does not exist o
s an
SQL> CREATE ROLE HR_MGR;
) ha
c o m ideฺ
Role created.
m ailฺ t Gu
@ g den
SQL> DROP USER mike CASCADE;
h t ica is Stu
DROP USER mike CASCADE
p a s th
* pr a us e
( f t o
ERROR at
h t ica user
line
n se'MIKE' does not exist
1:
s
ORA-01918: e
rapa lic
ur P SQL> CREATE USER mike identified by oracle_4U;
F lam
User created.
SQL> GRANT CREATE SESSION TO mike;
Grant succeeded.
SQL> GRANT HR_MGR to mike;
Grant succeeded.
SQL>

Chapter 2 - Page 35
2. Create the hrviewlink database link.
SQL> CONNECT hr@pdb1
Enter password:
ERROR:
ORA-28000: the account is locked
Warning: You are no longer connected to ORACLE.

Connected.
SQL> ALTER USER hr IDENTIFIED BY oracle_4U ACCOUNT UNLOCK;
a ble
User altered.
f e r
ans
SQL> CONNECT hr@pdb1 n - t r
Enter password: ****** a no
Connected. h a s
m ) eฺ
SQL> DROP DATABASE LINK hrviewlink;
o
DROP DATABASE LINK hrviewlink a ilฺc Guid
* g m ent
ERROR at line 1:
t i c a@ Stud
a s h this
ORA-02024: database link not found
f p r ap use
SQL> CREATE a ( DATABASE
to LINK hrviewlink CONNECT TO hr IDENTIFIED BY
i c
ht cUSING
oracle_4U e
ns 'orcl';
a s li e
rap
ur P
Database link created.
m
Fla SQL>
3. Create the employees_vw view and check that it allows you to retrieve
HR.EMPLOYEES@hrviewlink rows.
SQL> CREATE VIEW employees_vw as
SELECT * FROM HR.EMPLOYEES@hrviewlink;
2
View created.
SQL> GRANT select, insert, update, delete on EMPLOYEES_VW to

HR_MGR;
Grant succeeded.
SQL> SELECT employee_id, salary

Chapter 2 - Page 36
FROM employees@hrviewlink
WHERE employee_id = 206;
2 3
EMPLOYEE_ID SALARY
----------- ----------
206 8300
SQL>
4. Connect as MIKE and test the view.
SQL> CONNECT mike@pdb1
a ble
Connected.
f e r
SQL> UPDATE hr.EMPLOYEES_VW SET SALARY = 10000 ans
n - t r
o
2
s an
1 row updated.
) ha
c o m ideฺ
SQL> SELECT employee_id, salary FROM
m ailฺ hr.employees_vw
t G u
WHERE employee_id = 206; g
@ d e n
2
h t ica is Stu
EMPLOYEE_ID a
SALARY
p s th
a
pr 10000
----------- ----------
us e
( f t o
h t ica nse
206
p a s ROLLBACK;
l i c e
ra SQL>
mur P
Fla
Rollback complete.
SQL>
5. Attempt to view some other table HR.DEPARTMENTS of the HR schema.
SQL> SELECT * FROM hr.departments@hrviewlink;
SELECT * FROM hr.departments@hrviewlink
*
ERROR at line 1:
ORA-02019: connection description for remote database not found
SQL> EXIT
$

Chapter 2 - Page 37
Practice 2-6: Configuring the External Secure Password Store
Overview
In this practice, you configure the External Secure Password Store to hide passwords in batch
job scripts.
Assumptions
You successfully completed Practice 2-1 Task 1.
Tasks
The batch processes have been moved to a client machine. The batch processes will continue
using the /@netservice_name login for database connections. However, you must follow
security best practices: hence remote OS authentication (REMOTE_OS_AUTHENT) is not
allowed. Configure the external secure password store for the fred user to connect as the HR a ble
f e r
database user.
ans
1. Log in to the operating system as fred.
n - t r
$ su - fred
a no
Password: ******
h a s
$
m ) eฺ
o uid
a ilฺc /home/fred/oracle/wallet
2. Create the following directories required for this practice:
G
and /home/fred/oracle/network.
g m ent
a@ toSbe
Set the permissions on the wallet directory
c d
tuaccessible only to fred.
t i
h this
$ mkdir /home/fred/oracle
a s
r ap use
$ mkdir /home/fred/oracle/wallet
f p
a ( to
$ mkdir /home/fred/oracle/network
i c e
t /home/fred/oracle
$ ls h-l ns
a s
ptotal 8 li c e
r a
u r P drwxr-xr-x 2 fred users 4096 Jan 20 16:35 network
m
Fla
drwxr-xr-x 2 fred users 4096 Jan 20 16:35 wallet
$ chmod 700 /home/fred/oracle/wallet
$ ls -l /home/fred/oracle
total 8
drwxr-xr-x 2 fred users 4096 Jan 20 16:35 network
drwx------ 2 fred users 4096 Jan 20 16:35 wallet
$

Chapter 2 - Page 38
3. Create and configure the client-side Oracle wallet in the following directory that is
accessible only to fred: /home/fred/oracle/wallet.
If the wallet does not exist, create the client wallet using the command mkstore -wrl
<wallet_location> -create where <wallet_location> is the path to the directory
where you want to create and store the wallet. This command creates an Oracle wallet with
the auto login feature enabled at the location you specify. When auto login is enabled for a
wallet, only the operating system user who created it can manage it.
a. Use the mkstore utility. Set the wallet password to welcome1.
$ . oraenv
ORACLE_SID = [fred] ? orcl
The Oracle base for
/u01/app/oracle
a ble
$ mkstore -wrl /home/fred/oracle/wallet -create
f e r
Oracle Secret Store Tool : Version 11.2.0.1.0 - Production
ans
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All n - t r
rights reserved.
a no
h a s
Enter password again: *******
m ) eฺ
o
$
a ilฺc Guid
m en-wrl
b. Add credentials to the wallet by usinggmkstore t <wallet_location> -
a@
createCredential <db_connect_string>
c d <username> [<password>]
tualias
where <db_connect_string> t i
h this is a S
TNS or any service name used to
a s
p to The
connect to the database. service name specified in the mkstore command and
the service name r a
p to u
used s e
connect to the database (in connect
( f
a se must be identical. Add credentials to the wallet so that
t i c
/@<db_connect_string>)
p a sh cancconnect
fred
enthe username
hr_sec,liwith
to the HR schema without a password. Set the service name to
hr and the password oracle_4U.
ra
ur P $ mkstore -wrl /home/fred/oracle/wallet -createCredential hr_sec
F lam hr
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All
rights reserved.
Your secret/Password is missing in the command line
Enter your secret/Password: (oracle_4U)
Re-enter your secret/Password: (oracle_4U)
Enter wallet password: (welcome1)
Create credential oracle.security.client.connect_string1
$

Chapter 2 - Page 39
4. Still logged in as fred, set the $TNS_ADMIN environment variable to
/home/fred/oracle/network. Edit the .bashrc file with vi or gedit. The .bashrc
file is in the /home/fred directory. Change the .bashrc file by adding the following
line: export TNS_ADMIN=/home/fred/oracle/network
a. Edit the .bashrc file. to look like the following:
# .bashrc
# Source global definitions

if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific aliases and functions
a ble
export TNS_ADMIN=/home/fred/oracle/network
f e r
b. Force the changes to take effect and verify that they have.
ans
$ source ./.bashrc n - t r
$ echo $TNS_ADMIN a no
/home/fred/oracle/network h a s
m ) eฺ
$
o uid
a ilฺtoc /home/fred/oracle/network.
5. Copy the sqlnet.ora file from /home/oracle/labs/admin G
$ cd /home/fred/oracle/networkg
m ent
t i
$ cp /home/fred/labs/admin/sqlnet.ora c a@ Stud ./
a s h this
ap usethat the following lines are included:
$
6. View the sqlnet.ora f p
( = tor
file, and verify
c a
t = ense
i
WALLET_LOCATION
s h
r a pa (METHOD
(SOURCE
lic = FILE)
u rP (METHOD_DATA =
m
Fla (DIRECTORY =
/home/fred/oracle/wallet)))
SQLNET.WALLET_OVERRIDE = TRUE
The sqlnet.ora file has three parameters for configuring the secure external password
store: WALLET_LOCATION, SQLNET.WALLET_OVERRIDE, and
SQLNET.AUTHENTICATION.SERVICES.
• WALLET_LOCATION points to the directory where the wallet resides; this parameter
exists in earlier versions.
• Ensure the SQLNET.WALLET_OVERRIDE parameter is set to TRUE. This setting
causes all CONNECT /@db_connect_string statements to use the information in
the wallet at the specified location to authenticate to databases.

Chapter 2 - Page 40
• If an application uses SSL for encryption, the sqlnet.ora parameter,
SQLNET.AUTHENTICATION_SERVICES, specifies SSL and an SSL wallet is created.
If this application wants to use secret store credentials to authenticate to databases
(instead of the SSL certificate), those credentials must be stored in the SSL wallet. If
SQLNET.WALLET_OVERRIDE = TRUE, the usernames and passwords from the wallet
are used to authenticate to databases. If SQLNET.WALLET_OVERRIDE = FALSE, the
SSL certificate is used.

$ cat sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, LDAP)
WALLET_LOCATION =
(SOURCE =
a ble
(METHOD = FILE)
f e r
(METHOD_DATA =
ans
(DIRECTORY = n - t r
/home/fred/oracle/wallet))) a no
h a s
m ) eฺ
SQLNET.WALLET_OVERRIDE = TRUE
o
a ilฺc Guid
The NAMES.DIRECTORY_PATH line may be g m ent
ignored.
i c a@ Stud file to
7. Copy the $ORACLE_HOME/network/admin/tnsnames.ora
t
s
/home/fred/oracle/network/tnsnames.
a h this
p r ap use
$ cp $ORACLE_HOME/network/admin/tnsnames.ora
f tnsnames.ora
(
a se t o
h t i c
8. Edit the /home/fred/oracle/network/tnsnames.ora
n
file. Replace the ORCL alias by
p a s lice
the HR_SEC alias at the beginning of the file:
P ra HR_SEC =
r
mu (DESCRIPTION =
Fla (ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = db1.example.com)(PORT =
1521))
)
(CONNECT_DATA =
(SERVICE_NAME = orcl.example.com)
)
)
9. Test the configuration by attempting to connect to the database instance with the connect
string /@hr_sec.
$ sqlplus /@hr_sec
Connected to:
64bit Production

Chapter 2 - Page 41
SQL> show user

USER is "HR"
SQL> exit
$
10. List the contents of the wallet. Use the mkstore command with the listCredential
option. Use the following command:
mkstore –wrl /home/fred/oracle/wallet –listCredential
$ mkstore -wrl /home/fred/oracle/wallet -listCredential
a ble
f e r
rights reserved.
ans
n - t r
Enter wallet password:
a no
h a s
List credential (index: connect_string username)
m ) eฺ
o
1: hr_sec hr
a ilฺc Guid
$ exit
g m ent
logout
t i c a@ Stud
$
a s h this
11. As the oracle user, attempt
f p r ap to use
u s ethe wallet belonging to fred to connect with the
a (
connect string /@hr_sec.
to
a. Set TNS_ADMIN
h i c nto e
t/home/fred/oracle/wallet.
s /home/oracle/labs/admin. The sqlnet.ora file is set up to use the
s
wallet at c e
p$ aexport liTNS_ADMIN=/home/oracle/labs/admin
r a
u r P $ cd $TNS_ADMIN
m
Fla $
b. Open the tnsnames.ora file from /home/oracle/labs/admin and edit the same
way as in step 8.
HR_SEC =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = orcl.example.com)
)
)

Chapter 2 - Page 42
c. Test the HR_SEC net service name.
$ tnsping HR_SEC

Used parameter files:

/home/oracle/labs/admin/sqlnet.ora
Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS =
(PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))) (CONNECT_DATA
= (SERVICE_NAME = orcl.example.com)))
OK (30 msec)
a ble
f e r
$
ans
d. Attempt to connect using the HR_SEC service name with a password. Use system.
n - t r
$ sqlplus /nolog
a no
h a s
SQL*Plus: Release 12.1.0.2.0 Production m on) Mon Junฺ 17 05:35:29
o e
2013
a ilฺc Guid
g m ent
Copyright (c) 1982, 2013, Oracle.
c a @ tudAll rights reserved.
i
ht this S
a
p se s
f p a******
SQL> connect system@HR_SEC
r u
(
Enter password:
a t o
s h tic ense
Connected
apa
SQL> exitic
r l
ur P
$
m
Fla

Chapter 2 - Page 43
e. Attempt to connect using the HR_SEC service name without a password. This fails
because the wallet is owned by fred and has the restrictive permissions rwx------
as shown in step 2.
$ sqlplus /nolog
SQL*Plus: Release 12.1.0.2.0 Production on Mon Jun 17 05:36:28

2013
SQL> connect /@HR_SEC

ERROR:
ORA-12578: TNS:wallet open failed
a ble
f e r
ans
SQL> exit
n - t r
$
a no
f. Clear the TNS_ADMIN environment variable.
h a s
$ unset TNS_ADMIN
m ) eฺ
o
$
a ilฺc Guid
g m ent parameter to the default
12. To clean up after this practice, reset the OS_AUTHENT_PREFIX
values in the ORCL instance.
t i c a@ Stud
a s h this
f p r ap use
Connected to:
a ( to
Oracle i c
htProduction
Database e
ns 12c Enterprise Edition Release 12.1.0.2.0 -
p a s
64bit li c e
r a
u r P AnalyticsPartitioning,
With the Oracle Label Security, OLAP, Advanced
and Real Application Testing options
m
Fla
SQL> ALTER SYSTEM SET OS_AUTHENT_PREFIX='ops$' SCOPE=SPFILE;
System altered.

Database closed.
ORACLE instance shut down.
SQL> STARTUP
Total System Global Area 501059584 bytes


Chapter 2 - Page 44
Database mounted.
Database opened.
SQL> EXIT
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 2 - Page 45
Practice 2-7: Connecting to a CDB or a PDB
Overview
In this practice, you create a common user in the CDB and observe that the common user
connects with the same password in all PDBs in the CDB. In a second step, you create a local
user in each of the two PDBs of the CDB and observe how the local users connect to the PDBs.
Tasks
1. Create the common user C##U1 in dbsec.
$ . oraenv
The Oracle base for
a ble
/u01/app/oracle
f e r
$ sqlplus system
ans
Enter password: ****** n - t r
a no
Last Successful login time: Mon Jun 17 2013 02:46:48 +00:00
h a s
m ) eฺ
Connected to:
o uid 12.1.0.2.0 -
Oracle Database 12c Enterprise Edition
a ilฺc Release
G
64bit Production
g m ent
With the Partitioning, OLAP,
t i c S tud Analytics and Real
a@Advanced
a s h this
p se
pra c##u1
SQL> CREATE(fUSER
t o u IDENTIFIED BY oracle_4U CONTAINER=ALL;
a
tic ense
s h
apa lic
User created.
r
m ur P SQL> GRANT create session TO c##u1 CONTAINER=ALL;
Fla Grant succeeded.
SQL>
2. Connect as C##U1 in root.
SQL> CONNECT c##u1
Connected.
SQL> SHOW CON_NAME
CON_NAME
------------------------------
CDB$ROOT
SQL>

Chapter 2 - Page 46
3. Connect as C##U1 in pdb1.
SQL> CONNECT c##u1@pdb1
Connected.
SQL> SHOW CON_NAME
CON_NAME
------------------------------
PDB1
SQL>
4. Connect as C##U1 in pdb2.
SQL> CONNECT c##u1@pdb2
Enter password: ****** a ble
f e r
Connected.
ans
SQL> SHOW CON_NAME
n - t r
a no
CON_NAME
h a s
------------------------------
m ) eฺ
o
ilฺc Guid
PDB2
SQL> a
m ent
g
SQL> t i c a@ Stud
Notice that the same password a s hused ttohconnect
is is to any container of dbsec.
r p se
aLOCAL_EMPLOYEE
( f
5. Create the local userp t o u in pdb1.
a. Connecttias a
c SYSTEM sein pdb1.
s h
a CONNECT e n
r a pSQL> lic system@pdb1
m ur P Enter password: ******
Fla Last Successful login time: Mon Jun 17 2013 03:13:35 +00:00
Connected to:
64bit Production
SQL>
b. Create the local user LOCAL_EMPLOYEE.
SQL> CREATE USER local_employee IDENTIFIED BY pass_pdb1;
User created.

Chapter 2 - Page 47
SQL> GRANT create session TO local_employee;
Grant succeeded.
SQL>
c. Connect as LOCAL_EMPLOYEE in pdb1.

SQL> CONNECT local_employee@pdb1
Connected.
SQL>
d. Connect as LOCAL_EMPLOYEE in pdb2.
a ble
Enter password: ****** f e r
ans
ERROR:
n - t r
ORA-01017: invalid username/password; logon denied o
s an
) ha
o mORACLE.eฺ
ilฺ Guid
c
Warning: You are no longer connected to
SQL>
m a t
g e n
a. Connect as SYSTEM in pdb2.htic
a@ Stud
6. Create the local user LOCAL_EMPLOYEE in pdb2.
a s t h is
p se
a******
r
(
Enter password:f p t o u
a
tic ense
Connected.
a s h
r a pSQL> lic
u r Pb. Create the local user LOCAL_EMPLOYEE.
l a m SQL> CREATE USER local_employee IDENTIFIED BY pass_pdb2;
F
User created.
SQL> GRANT create session TO local_employee;
Grant succeeded.
SQL>
c. Connect as LOCAL_EMPLOYEE in pdb2.
Connected.
SQL>

Chapter 2 - Page 48
d. Connect as LOCAL_EMPLOYEE in pdb1 with the password assigned to
LOCAL_EMPLOYEE in pdb2.
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.

SQL>
SQL> EXIT
$
a ble
Notice that the password used by the local user to connect to pdb1 and pdb2 are different.
f e r
You may exit the db1 virtual machine and return to your host desktop.
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla

Chapter 2 - Page 49
Practice 2-8: Preparation for Next Lesson
Overview
In this practice, you prepare the EM13 and CL1 virtual machines for the next lesson. Starting
the virtual machine automatically starts Enterprise Manager Cloud Control. Because this
requires no supervision, other activities such as the lecture for the next lesson may occur at the
same time.
Assumptions
You are at the virtual machine host desktop, logged in as user oracle.
Tasks
1. Determine which virtual machines have been started. In this example, cl1 is started and
em13 is not started.
a ble
f e r
$ sudo xm list
ans
Name ID Mem VCPUs State
n - t r
Time(s)
Domain-0 0 1024
a no
2 r----- 207735.6
cl1 3
a
1024
h s 1 -b---- 5582.5
db1 1
m ) eฺ
3072 1 -b---- 18375.4
o
a ilฺc Guid
2. If necessary, start the em13 virtual machine. g m thatethe
Verify n t virtual machine is started by
observing the entry in the list, in either a
c @runningtuordblocked state as indicated in the State
the
column. The content of the ID column t i
h thiTime
and
s Scolumn may be different on your machine.
$ sudo xm create p a s
em13 e
f r a us
pfile t"/etc/xen/em13".
Using config (
a sem13 o
Started
h t icdomainn e (id=6)
s
a sudo xm
p$Name e
lic list
r a
u r P Time(s) ID Mem VCPUs State
m
Fla Domain-0 0 1024 2 r----- 207820.3
cl1 3 1024 1 -b---- 5584.2
db1 1 3072 1 ------ 18409.3
em13 6 9216 1 r----- 4.3
3. If necessary, start the cl1 virtual machine using the same process, substituting cl1 for
em13. In this example, it is not necessary.
The em13 virtual machine automatically starts the Enterprise Manager repository database,
followed by the Enterprise Manager WebLogic Server–based Management Server (OMS). This
can take a significant amount of time.

Chapter 2 - Page 50
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 3: Using
o uidSecurity
a ilฺc User
Enterprise G
g m ent
c a @ tu3 d
Chapter
i
ht this S
a s
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
Practices for Lesson 3: Using Enterprise User Security

Chapter 3 - Page 1
Practices Overview
In this lesson, you use Enterprise User Security to connect to a database with unknown
database users, but with directory entry users. The Oracle Unified Directory has been installed
on the cl1 virtual machine, and you start that product for use with the orcl instance. You also
register the instance with Enterprise Manager Cloud Control running on the em13 virtual
machine. This practice explains how to:
• Configure and register a database with an LDAP directory.
• Create and map global private schemas and global shared schemas with directory
entries.
• Test the connections as unknown database users.
• Create global roles and enterprise roles, and map them together to assign enterprise
a ble
roles to directory entry users.
f e r
• Test the connections of unknown database users being granted enterprise roles. ans
n - t r
a no
Assumptions
h a s
m
This practice uses the orcl database instance on virtual machine )db1, Oracle
e ฺ Unified Directory
(OUD) and Oracle Directory Services Manager (ODSM) ion c o i d
lฺ Gu cl1, and Enterprise
virtual machine
Manager Cloud Control on virtual machine em13. m a t
g e n
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
p a s li
r a
u rP
m
Fla

Chapter 3 - Page 2
Practice 3-1: Registering a Database with Enterprise Manager
Overview
In this practice, you verify that Oracle Enterprise Manager Cloud Control is operational and
register the orcl instance with Enterprise Manager Cloud Control.
Tasks
1. Enterprise Manager Cloud Control is automatically started when the em13 VM boots,
and typically requires 20 to 30 minutes to start on these virtual machines. To verify it is
operating, log on to the em13 machine as the oracle user and run the following
command:
$ /u01/app/oracle/product/fmw/bin/emctl status oms
Oracle Enterprise Manager Cloud Control 13c Release 1
a ble
Copyright (c) 1996, 2015 Oracle Corporation. All rights
f e r
reserved.
ans
WebTier is Up
n - t r
Oracle Management Server is Up
a no
JVMD Engine is Up
h a s
BI Publisher Server is Down
m ) eฺ
o
ilฺc Guid
BI Publisher is disabled, to enable BI Publisher on this host,
a
m ent
use the 'emctl config oms -enable_bip' command
g
Note that BI Publisher has been disabled
c d required in this course.
a@ asSittisunot
2. If sufficient time has passed andt i
h the tWebTier,
isstartOracle Management Server, or JVMD
Engine are still down, you a s
p se
may attempthto them using the following command:
r a
a (fp to u
$ /u01/app/oracle/product/fmw/install/unix/scripts/omsstup start
s h tic ense
sudo exist
a a Enterprise
pOracle lic Manager Cloud Control 13c Release 1
r
u r P Copyright
reserved.
(c) 1996, 2015 Oracle Corporation. All rights
m
Fla Starting Oracle Management Server...
WebTier Successfully Started
Oracle Management Server Already Started
Oracle Management Server is Up
JVMD Engine is Up
$
Note that the keyword start is on the command line, not on a separate line.
Courtesy scripts status_oms.sh, start_oms.sh and stop_oms.sh that run these
long strings have been placed in /home/oracle/bin, which is available in your PATH
for your convenience.
3. If Enterprise Manager Cloud Control is running, exit the em13 machine and return to the
VM host.

Chapter 3 - Page 3
4. From the host desktop, start a shell with GUI capability on the database machine, start a
browser, and access Enterprise Manager Cloud Control.
a. Access the db1 VM as oracle using the –X flag.
[Host Desktop]$ ssh -X -l oracle db1
oracle@db1's password:
Last login: Thu Dec 8 02:30:52 2016 from 192.0.2.1

[oracle@db1 ~]$
b. Start Firefox as a background process
[oracle@db1 ~]$ firefox &
[1] 3456
[oracle@db1 ~]$
c. Access Enterprise Manager Cloud Control using the following URL:
a ble
https://em13.example.com:7802/em
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
ca Control
d. Log in to Enterprise ManageriCloud
t S tuas user SYSMAN.
a s h t hi s
p e
( f pra to us
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 3 - Page 4
e. If the Welcome page is displayed, you may select the Databases page as your Home
page to minimize the number of pages that you will see while interacting with the
database. This page is also accessible from the Targets menu
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o id
f. Verify that the orcl instance has not been a ilฺc G
registered byu
switching the view to the
Search List. g m ent
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla g. The orcl.example.com database Instance should not be in the list, although other
instances may be listed. As an example, the following shows only the
fix1_db1.example.com database instance to be registered.

Chapter 3 - Page 5
5. If the orcl instance is not listed; you need to register it. Part of the registration process
requires a monitoring user to be created and available in the database. User DBSNMP is
usually created for this, but is locked for security reasons. Log on to the DB1 machine,
unlock the DBSNMP user, and assign a password.
a. Log on to the db1 machine as user oracle, from either the em13 machine or the
Desktop Host.
[Host Desktop]$ ssh -l oracle db1

[oracle@db1 ~]$
b. Access the database as SYSTEM, or SEC if the previous lesson has been completed.
[oracle@db1 ~]$ . oraenv
a ble
ORACLE_SID = [oracle] ? orcl
f e r
The Oracle base has been set to /u01/app/oracle
ans
[oracle@db1 ~]$ sqlplus system
n - t r
a no
SQL*Plus: Release 12.1.0.2.0 Production on Thu
h a sDec 8 03:07:04
2016
m ) eฺ
o uidreserved.
lฺc rights
a iAll G
Copyright (c) 1982, 2014, Oracle.
g m ent
t i c a@ Stud
Enter password:
a s h this
Last Successful login
r a p time:
s e Wed Oct 26 2016 11:14:42 -05:00
a (fp to u
Connected
h c to:nse
tiDatabase
a s
Oracle
p l i c e 12c Enterprise Edition Release 12.1.0.2.0 -
ra 64bit Production
ur P With the Partitioning, OLAP, Advanced Analytics and Real
F lam Application Testing options
SQL>
c. Unlock the DBSNMP user and assign a password. Note this password because it will
be required in task 6.
SQL> alter user dbsnmp account unlock identified by oracle_4U;
User altered.
SQL>
d. Exit from the database and the db1 machine.
If the terminal appears to hang when you exit a VM, you may use Control + C to
complete the exit.

Chapter 3 - Page 6
6. Register the database in Enterprise Manager Cloud Control.
You are encouraged to become more familiar with the Enterprise Manager Cloud Control
Console by discovering things on your own. For example, the db1 host has already been
added, as can be confirmed by reviewing the Hosts target.
a. In Manager Cloud Control, select the Setup menu, select the Add Target submenu,
and select Add Targets Manually.
a ble
f e r
ans
b. Click the Add Using Guided Process button.
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 3 - Page 7
c. Select the Oracle Database, Listener and Automatic Storage Management
discovery process. Depending on your screen size, the phrase may be truncated.
Click the Add button in the lower-right corner of the selection screen.
a ble
f e r
ans
n - t r
a no
h a s
d. On the Database Discovery: Search Criteria page, click)the Search
ฺ icon ,
o m e
page. a ilฺc Guid
highlight the db1.example.com row, and click Select to return to the Search Criteria
g m ent
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
e. Click Next.
f. Select the orcl.example.com target, enter the DBSNMP password that you set
previously, and click Test Connection.

Chapter 3 - Page 8
g. The Information pop-up should indicate that the connection test was successful. If it
was not, review step 5 to ensure user DBSNMP is unlocked and you are using the
correct password. Dismiss the pop-up. You may repeat the test as needed after
correcting the information.
h. If a Listener target has been discovered, you may optionally select that as well.
i. Click Next in the upper-right area to proceed to the Review page.
j. Click Save in the upper-right area to proceed. If a Confirmation pop-up appears, click
Close to return to the Add Targets Manually page.
k. Return to the Database target page and select the new orcl.example.com link to
access the database home page.
a ble
f e r
ans
n - t r
a no
h a s
l. Note the menu selections on the database home page,
m )and ineparticular
ฺ note the
o
selections in the Security menu.
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
a s li
rap
m ur P m. You do not require Enterprise Manager Cloud Control for the next few tasks. Note,
Fla however, how you started the browser for future reference.

Chapter 3 - Page 9
Practice 3-2: Starting and Configuring Oracle Unified Directory
Overview
Oracle Enterprise User Security uses LDAP to provide a central storage of usernames, roles
and passwords. The LDAP schema is available for Oracle Internet Directory (OID) and Oracle
Unified Directory (OUD), both of which can be configured to synchronize with other directories
such as Microsoft Active Directory.

Oracle Unified Directory version 11.1.2.3, together with the Oracle Directory Services Manager
GUI administration tool (ODSM), have been installed on the cl1 virtual machine. The OUD and
ODSM installation and configuration steps are described in the Oracle Fusion Middleware
Administrator’s Guide for Oracle Unified Directory (Release 11.1.2) in Chapter 28 “Integrating
Oracle Unified Directory with Oracle Enterprise User Security”.
You will start up OUD as well as WebLogic Server (WLS) version 10.3.6, which is required to
run ODSM. You will then use ODSM to verify that that OUD configuration is correct. This
a ble
configuration uses ports 1389, 1636, 1689 for LDAP, 4444 for management, and 7001 for WLS
f e r
and ODSM access.
ans
n - t r
Tasks
a no
1. Log on to the cl1 machine as the oracle user.
h a s
[Host Desktop]$ ssh –l oracle cl1 m ) eฺ
o
oracle@cl1's password:
a ilฺc Guid
Last login: Thu Dec 8 07:07:17 g m2016 efrom
n t 192.0.2.1
[oracle@cl1 ~]$
t i c a@ Stud
2. Use the start-ds command,
a s hfoundtinhithe
s bin directory of the directory server
instance. The directory r p instance,
aserver s e asinst_1, has been created in the Oracle
Middleware directory f p u
( treetato /u01/app/oracle/Middleware. OUD has been
installed ini c a
t ense tree at /u01/app/oracle/Middleware/Oracle_OUD, and
the directory
a s h has cbeen installed in the directory tree at
asinst_1
p l i
u r Pra/u01/app/oracle/Middleware/asinst_1. For convenience, a start_ds.sh
script is in your PATH. Optionally, review the script. Start the directory server and
l a m observe the message “The Directory Server has started successfully.”
F [oracle@cl1 ~]$ cat bin/start_ds.sh
#!/bin/bash
cd /u01/app/oracle/Middleware/asinst_1/OUD/bin
./start-ds
[oracle@cl1 ~]$ start_ds.sh
[08/Dec/2016:07:54:28 -0500] category=CORE severity=INFORMATION
msgID=132 msg=The Directory Server is beginning the
configuration bootstrapping process
[08/Dec/2016:07:54:31 -0500] category=CORE severity=NOTICE
msgID=458886 msg=Oracle Unified Directory 11.1.2.3.0 (build
20150414142803Z, R1504140602) starting up
… many information lines removed

Chapter 3 - Page 10
[08/Dec/2016:07:54:40 -0500] category=PROTOCOL severity=NOTICE
msgID=2556180 msg=Started listening for new connections on LDAP
Connection Handler 0.0.0.0 port 1389
msgID=458887 msg=The Directory Server has started successfully
msgID=458891 msg=The Directory Server has sent an alert

notification generated by class
org.opends.server.core.DirectoryServer (alert type
org.opends.server.DirectoryServerStarted, alert ID 458887): The
Directory Server has started successfully
[oracle@cl1 ~]$
3. The directory service manager, ODSM, is a rich GUI built using Oracle’s Application
Development Framework that runs in the WebLogic Server environment. To make
a ble
ODSM available, you must start the WebLogic Server that hosts that application by
f e r
running the startWebLogic.sh from the WLS domain. WLS requires some
ans
environment settings to be set up prior to running. Also, startup is very detailed and can
n - t r
a no
take some time. A courtesy script has been created to initiate and monitor the startup
process. Run the start_wls.sh script and wait until completion. This may take
approximately 3 minutes. h a s
m ) eฺ
o
ilฺc Guid
[oracle@cl1 ~]$ start_wls.sh
a
m ent
/u01/app/oracle/Middleware/user_projects/domains/base_domain/bin
g
tud for RUNNING
[email protected]
+++++++++++++++++++++++++++++++++++++++++++++++++++++
WebLogic Server is starting t i c
h this
a s
ap use
-----------------------------------------------------
java versionfp
( r
"1.7.0_79"
Java(TM)
i c a e
SE Runtimeto Environment (build 1.7.0_79-b15)
s t ens 64-Bit Server VM (build 24.79-b02, mixed mode)
hHotSpot(TM)
a
Java
apWaiting 15 lic seconds (1 of 15)
r
ur P Waiting 15 seconds (2 of 15)
F lam Dec 08, 2016 8:13:39 AM
oracle.security.jps.internal.idstore.util.LibOvdUtil
pushLdapNamesToLibOvd
INFO: Pushed ldap name and types info to libOvd. Ldaps :
DefaultAuthenticator:idstore.ldap.provideridstore.ldap.
Dec 08, 2016 8:13:46 AM oracle.security.jps.JpsStartup start
INFO: Jps initializing.
Dec 08, 2016 8:13:46 AM oracle.security.jps.JpsStartup start
INFO: Jps started.
Waiting 15 seconds (3 of 15)

Chapter 3 - Page 11
Started ...
[oracle@cl1 ~]$
4. From the VM host log on to the db1 machine as the oracle user with the –X option and
start the Firefox browser.
5. Point the browser to http://cl1.example.com:7001 to verify that the WebLogic Server

environment is operational. The resulting web page should be similar to
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
i c a ( to shttp://cl1.example.com:7001/odsm
6. Point the tbrowser e to to start the Directory Services
s h
Manager. e n
The following page is displayed:
r a pa lic
u r P
l a m
F
7. Enter, or verify, the following information to log in the first time:

• Name: admin
• Server: cl1.example.com
• Administrative Port: 4444

Chapter 3 - Page 12
• SSL Enabled: selected
• Password: Student1
• Start Page: Home
Click Login.
a ble
f e r
ans
n - t r
a no
h a s
a. The first time you access the system, you may be challenged
m ) eฺ to accept the
certificate. If this page or pop-up is displayed, o
i l ฺ u idTrust Always”
c click “Yes,
g ma ent G
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
a s li
r ap
mur P
Fla

Chapter 3 - Page 13
b. You should land on the main ODSM page.
a ble
f e r
ans
8. The OUD default is to store passwords only in Salted SHA-1. According to My Oracle
Support document 2093460.1, Enterprise Manager Cloud Control 13c connects to EUS n - t r
o
an
using SASL Digest-MD5 and uses AES storage. The database uses SHA-1. Therefore,
s
) ha
you need to add the AES, MD5, and SHA-1 storage formats to OUD. That also requires
updating existing passwords to generate the required storage.
c o m ideฺ
ailฺ t Gu
a. Open the Security tab and expand the Password Policy group and select the
Default Password Policy m
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 3 - Page 14
b. Pull down the list for Default Password Storage Schema and add SHA-1, AES
and MD5 storage. Other values are also permitted.
a ble
f e r
ans
n - t r
a no
s
haclick
c. Click the next field to activate the Apply button, and)then Apply.
m ฺ
i l ฺ co uide
g ma ent G
t i c a@ Stud
d. Repeat the precedingsstep
a h forththeisRoot Password Policy and the Global
selected. Iffp r
you
adop notuperform
Administrator Password Policy,
s ensuring at least Salted SHA-512 and AES are
e this step, the login to Enterprise Manager in
( t o
h t ica ncl1
Practice 3-4 will fail.
seas oracle and update the Directory Manager password to
9. Log on
pa s to machinee
c the changeDirectoryManagerpwd.sh script found in
liUse
r a
oracle_4U.
mur P /home/oracle/labs/EUS or enter the following on one line.

Fla [oracle@cl1 ~]$
/u01/app/oracle/Middleware/asinst_1/OUD/bin/ldappasswordmodify -
h cl1.example.com -p 1389 --authzID "dn:cn=Directory Manager" --
currentPassword Student1 --newPassword oracle_4U
The LDAP password modify operation was successful

[oracle@cl1 ~]$

Chapter 3 - Page 15
10. Verify that the Salted SHA-512 and AES (and others that you have selected) are in use
with the following command (or use
/home/oracle/labs/EUS/checkPassword.sh).
[oracle@cl1 EUS]$ echo oracle_4U > /home/oracle/labs/EUS/pwd-
file
[oracle@cl1 EUS]$
/u01/app/oracle/Middleware/asinst_1/OUD/bin/ldapsearch -h
cl1.example.com -p 4444 -D "cn=Directory Manager" --useSSL -j
pwd-file -b "cn=Directory Manager,cn=Root DNS,cn=config" -s base
objectclass=* userpassword
The server is using the following certificate:
Subject DN: CN=cl1.example.com, O=Administration Connector
Self-Signed Certificate
Issuer DN: CN=cl1.example.com, O=Administration Connector
a ble
Self-Signed Certificate
f e r
ans
Validity: Fri Dec 09 05:06:56 EST 2016 through Sun Dec 09
05:06:56 EST 2018 n - t r
o
an
Do you wish to trust this certificate and continue connecting to
s
the server?
) ha
Please enter "yes" or "no":yes
c o m ideฺ
ailฺ t Gu
dn: cn=Directory Manager,cn=Root DNs,cn=config
userpassword: m
g den
@
ica is Stu
{AES}AfGbnMScAUlxjYoz0ZlM2jGga1FNK11I+A1nIvBDIkup/vOOQE0cxCd9
userpassword:
s h t
p a th
{SSHA512}cagKt+RRG4Kb50+lX3JWslLZqc5LPvxghCNOtxA7ui/wGdHpj256QRB
a e
G0
( f pr to us
h t i ca nse
80bgG2JtUyoZpWr4aDY3+ZqoB96Zg6LTgqyXSFR
11. Verifysthat you can e log in to ODSM using the new password.
p a l i c
P ra
u r
m
Fla

Chapter 3 - Page 16
12. Find and update the generated user entries to provide correct passwords. LDAP
generally performs searches very quickly, and many LDAP applications use a number of
searches to respond to a single request. Oracle’s Network Administration and Enterprise
User Security look up the Oracle Context to determine where various information can be
found. In this step you will determine where the Oracle Context information is to be
found.
a. In ODSM, open the Data Browser tab, expand the dc=example,dc=com node,
expand the cn=OracleContext node, expand the cn=Products node, and click the
cn=Common node.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
b. In the data panel, expand the Optional Attributes (scroll down if necessary to see
the Optional Attributes and click the arrow in front of the name).

Chapter 3 - Page 17
c. Scroll down to view the orclCommonUserSearchBase attribute and data. The
data value indicates the node in which to search for User information.
13. Using the Data Browser tab in ODSM, access the information for users that is found in
the node previously identified and update the password for one of the existing users.
a. Select the node for uid=user.0.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
t ithat tu
causers inSthe
b. Note the data entered
a s h
for
t h i data panel.
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla

Chapter 3 - Page 18
c. Scroll down and expand the Organizational Information attribute group.
d. Scroll right until the User Password is displayed.
a ble
f e r
e. Update the password to oracle_4U and click Apply in the upper-right area to ans
update the password to use all the storage formats selected. n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 3 - Page 19
Practice 3-3: Configuring and Registering the Database
Overview
Oracle Database can communicate with the LDAP server based on the configuration in the
sqlnet.ora file. This is usually done by using the Networking Configuration Assistant. After
the communication has been established, the database may be registered with LDAP using the
Database Configuration Assistant.
Tasks
1. Log on to the db1 machine as user oracle with GUI capability.
a ble
Last login: Fri Dec 9 02:59:12 2016 from 192.0.2.1
f e r
ans
[oracle@db1 ~]$
n - t r
2. Set the environment to use the orcl instance.
a no
h a s
m ) eฺ
o
a ilฺc Guid
[oracle@db1 ~]$
g m ent
3. Start the Network Configuration Assistant.
t i c a@ Stud
[oracle@db1 ~]$ netcah is
a s t h
f p r ap use
Oracle Net (Serviceso Configuration:
i c e t
astarts,sselect
4. When the
s t
h cen
GUI Directory Usage Configuration and click Next.
a p a li
P r
u r
l a m
F

Chapter 3 - Page 20
5. Select Directory Type Oracle Internet Directory and click Next.
a ble
f e r
ans
6. Enter the host name where the LDAP server is running (cl1.example.com), the ports
that are needed to access LDAP, 1389 for the regular port and 1636 for the SSL port, n - t r
o
an
and click Next. Note that on Linux, ports 1 to 1024 require super user privileges, and
s
ha
Oracle Unified Directory is started and run as the oracle user. Therefore the ports are
)
outside the privileged range.
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 3 - Page 21
If you receive an error dialog box, ensure that the LDAP server has been started on
the cl1 machine.
7. Select the Oracle Context “cn=OracleContext,dc=example,dc=com” and click Next.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s thNext.
a
pr to us
8. Note the resulting information and eclick
( f
h t ica nse
p a s lice
P ra
u r
m
Fla

Chapter 3 - Page 22
9. Optionally, ensure that LDAP is a naming method. Central naming is often required;
however, this capability will not be used in this course.
a. Select “Naming Methods configuration” and click Next.
b. Ensure Directory Naming is in the Selected Naming Methods list and click Next
until the Welcome page is displayed.
a ble
f e r
ans
10. Click Finish to return to the command line. n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla 11. Review the resulting ldap.ora file, and sqlnet.ora if you performed the optional
step.
Profile configuration complete.

Oracle Net Services configuration complete.
[oracle@db1 ~]$ cat $ORACLE_HOME/network/admin/ldap.ora
# ldap.ora Network Configuration File:
/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/ldap.ora
# Generated by Oracle configuration tools.
DIRECTORY_SERVERS= (cl1.example.com:1389:1636)
DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
DIRECTORY_SERVER_TYPE = OID

Chapter 3 - Page 23
[oracle@db1 ~]$ ## Next is optional. Note this is one line.
[oracle@db1 ~]$ grep NAMES.DIRECTORY
$ORACLE_HOME/network/admin/sqlnet.ora
#names.directory_path

[oracle@db1 ~]$
12. Register the instance by using DBCA.
a. Still on db1 as the oracle user, start dbca.
[oracle@db1 ~]$ dbca
[oracle@db1 ~]$
b. When the GUI is displayed, select Configure Database Options and click Next.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
pdatabase,
seenter
pra to uClick
c. Select the orcl SYS as the SYSDBA user, and enter the
password(foracle_4U. Next.
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 3 - Page 24
d. Enter orcl as the database CN, use cn=Directory Manager as the User DN
with password oracle_4U. Enter oracle_4U as the Wallet Password, and
confirm with the same value. Click Next.
a ble
f e r
ans
n - t r
a no
h a s
e. Click Next through the Database Components page.
m ) eฺ
o uidmay need to deselect
ilฺc GYou
f. Do not configure Database Vault or Label Security.
a
the options. Click Next.
g m ent
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla

Chapter 3 - Page 25
g. Leave the Connection Mode as selected and click Next.
h. Note the summary. Click Finish.

a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
i. The Progress page may be displayed, but will quickly move to the final page
confirming completion. Click Close.

Chapter 3 - Page 26
13. Using ODSM, verify that the registration is complete. Note that you may need to restart
the WebLogic Server on machine cl1.
a. Log in as cn=Directory Manager, switch to the Data Browser, expand the
base DN (dc=example,dc=com), and expand the cn=OracleContext node. Note
the new cn=orcl node that was created during the registration process.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
a (
b. Optionally, view theodata stored in the various attributes.
t
t
c. Exiti c
ODSM. se
a shhowlaicPDB
14. Discuss
p en may be registered with LDAP. If a CDB instance is available with
P raopened pluggable databases, you may wish to explore the Manage Pluggable
u r Databases option of the Database Configuration Assistant.
m
Fla

Chapter 3 - Page 27
Practice 3-4: Configuring Global Users and Global Roles
Overview
Enterprise User Security management is performed using Enterprise Manager. You add groups
to be recognized by the database, add users to the groups without corresponding database user
IDs, and verify that you can log in to the database with the new user IDs.
Tasks
1. Log in to the db1 machine, and access the orcl database as a user with DBA privileges.
The following assumes you have previously logged out of the db1 machine. Start at the
point appropriate for your current state.
[Host Desktop]$ ssh -l oracle db1
a ble
f e r
Last login: Tue Dec 13 08:33:48 2016 from 192.0.2.1
ans
n - t r
a no
h a s
[oracle@db1 ~]$ sqlplus system m ) eฺ
o
a ilฺc Guid
g m enton Tue Dec 13 08:35:37
SQL*Plus: Release 12.1.0.2.0 Production
2016
t i c a@ Stud
a s h this
Copyright (c) 1982,
r a p se Oracle. All rights reserved.
2014,
a (fp to u
ic nse
Enter tpassword:
h
p a
Lasts l i c
Successfule login time: Tue Dec 13 2016 08:34:08 -05:00
ra
m ur P Connected to:
Fla Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 -
64bit Production
2. Create a global user and grant it the ability to create sessions.
SQL>
SQL> DROP USER GUEST CASCADE;
User dropped.
SQL> CREATE USER guest IDENTIFIED GLOBALLY AS '';
User created.
SQL> GRANT CREATE SESSION TO GUEST;


Chapter 3 - Page 28
Grant succeeded.
SQL>
3. Create or replace two new global roles and grant them the ability to select from
OE.PRODUCTS.
SQL> DROP ROLE emprole;
Role dropped.
SQL> CREATE ROLE emprole IDENTIFIED GLOBALLY;
a ble
Role created.
f e r
ans
SQL> DROP ROLE custrole; n - t r
a no
Role dropped.
h a s
m ) eฺ
o uid
SQL> CREATE ROLE custrole IDENTIFIED
a ilฺcGLOBALLY;
G
g m ent
Role created.
t i c a@ Stud
a s h this
SQL> GRANT select
f p r apON uoe.products
s e TO custrole, emprole;
a ( to
i c
Granthtsucceeded. ns e
a s li c e
rap
mur P SQL>
Fla
Grant succeeded.
SQL>
4. You may optionally exit the orcl database.

Chapter 3 - Page 29
Practice 3-5: Configuring Enterprise User Security by Using
Enterprise Manager
Overview
Enterprise User Security management is performed using Enterprise Manager. You add groups
to be recognized by the database, add users to the groups without corresponding database user
IDs, and verify that you can log in to the database with the new user IDs.
Tasks
1. Using the browser, log on to the Enterprise Manager console as user SYSMAN, and open
the orcl.example.com database page. If necessary, review the earlier instructions to access
the database home page. The resulting page should look similar the following:
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla 2. Expand the Security menu.
3. Select Enterprise User Security from the bottom of that menu. You may need to scroll
the page to display the required entry.

Chapter 3 - Page 30
4. Log in to the Oracle Unified Directory by using the following values:
Step Field Choices or Values
a. Host cl1.example.com
b. Port 1389
c. Realm dc=example,dc=com
d. User cn=Directory Manager

e. Password oracle_4U
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P r a
r
u 5. Click Login.
m
Fla If the system responds with an Invalid Credentials message and you are sure you have
entered the password correctly, you may not have successfully added AES as a storage
mechanism in the earlier step.

Chapter 3 - Page 31
6. Configure a User-Schema mapping by updating the Default Domain.
a. Click Manage Enterprise Domains.
a ble
f e r
ans
b. Ensure the OracleDefaultDomain is selected and click Configure.
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla
c. Note that the orcl database should have been added automatically. If it is not, click
Add, Click Go to bring up the list of databases, select orcl as shown in the following
snippet, and click Select to return to the Configure Domain screen.

Chapter 3 - Page 32
d. Select the User-Schema Mappings tab and click Create.
e. Enter uid=user.0,ou=People,dc=example,dc=com in the From field (you can use a ble

the Search icon, perform a search by clicking Go, and select user.0) and the guest f e r
ans
user previously created in the To field, and click Continue.
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla f. Click OK.

Chapter 3 - Page 33
g. Note there is now an Enterprise-User mapping.
7. Create a Global Enterprise Role using a similar approach:

a. Select the OracleDefaultDomain and click Configure as in the previous task.
b. Display the Enterprise Roles tab and click Create.
c. Enter Product in the Name field and click Add.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
Pd.r
aSelect the orcl database, enter the database User Name as system and its
u r password, and click Go to display a list of the database global roles.
m
Fla

Chapter 3 - Page 34
e. Select both previously created roles, and click Select.
f. Display the Grantees tab and click Add.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
t ens e
g. p a shthe
Select lic view, click Go to search for all known users in the directory, select
USER
r a user.0, and click Select.
mur P
Fla

Chapter 3 - Page 35
h. Click Continue to return to the domain configuration page.
a ble
f e r
ans
i. Click OK to return to the Manage Enterprise Domains page. n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
8. Enable password access for the database.
r a p Domains
a. From the Manage Enterprise
s e page, select the orcl database, click
fp thetoConfiguration
Configure, and(select
a
u view.
s h tic ense
r a pa lic
mur P
Fla
b. Deselect the Kerberos and SSL selections and click OK.

Chapter 3 - Page 36
9. Log in to the database using user.0 with the password previously set.
[oracle@db1 ~]$ sqlplus user.0@orcl
SQL*Plus: Release 12.1.0.2.0 Production on Tue Dec 13 11:43:19
2016
Enter password:
Last Successful login time: Tue Dec 13 2016 11:42:36 -05:00
Connected to:
64bit Production
a ble
f e r
ans
n - t r
SQL> select count(*) from oe.products; a no
h a s
m ) eฺ
o
ilฺc Guid
COUNT(*)
---------- a
m ent
g
a@ Stud
288
t i c
h this
SQL> exit a s
Disconnected p
f r apOracle
from u s eDatabase 12c Enterprise Edition Release
12.1.0.2.0 a (- 64bittoProduction
i c se
t Partitioning,
With hthe n
a s c e
li Testing options
OLAP, Advanced Analytics and Real
rapApplication
mur P
10. Verify that user.0 does not exist in the database.
Fla
[oracle@db1 ~]$ sqlplus system

2016
Enter password:
Last Successful login time: Tue Dec 13 2016 11:41:45 -05:00
Connected to:
64bit Production

Chapter 3 - Page 37
SQL> select username from dba_users where username like 'USER%';
no rows selected
SQL> exit
Disconnected from Oracle Database 12c Enterprise Edition Release

[oracle@db1 ~]$
11. Optional: Create a new user in LDAP and associate that user with the orcl database.
a. Log in to the Oracle Directory Services Manager and click the Create User Entry link.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 3 - Page 38
b. Optionally expand the Create New User Entry window to use the entire browser area,
and click the Parent Entry search > Select.
a ble
f e r
ans
c. In the Entry Picker window, expand the tree to display the distinguished name
n - t r
cn=Root, then dc=example,dc=com, and select ou=People. o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla

Chapter 3 - Page 39
d. Toward the bottom of the Entry Picker, select the distinguished name
ou=People,dc=example,dc=com and click Select.
e. Enter the information about an individual. Include data in the Common Name, User Id, a ble
User Name, First Name, and Last Name fields. f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s
f. Scroll down to the Organization
h Information
t h is data group and enter a User Password.
f p r ap use
a ( to
i c
ht cens e
p a s li
r a
mur P
Fla g. Click Create in the upper-right area. Review any messages and fix any data issues that
might be reported.

Chapter 3 - Page 40
h. Return to Enterprise Manager Cloud Control and access the Enterprise User Security
panel for the database.
a ble
f e r
ans
n - t r
a no
h a s
i. Click the Manage Enterprise Users link and find the user m )you created.
e ฺ You may enter
c o i d
m ailฺ t Gu
the username into the User field and click Go, or scroll down.
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P ra
u r
m
Fla

Chapter 3 - Page 41
j. Select the user and click Configure. On the User – Schema Mappings tab, create a
mapping between the username and the database schema guest.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ created Product
k. Click Continue, click the Enterprise Roles tab, and grant the previously
role to your user.
i l ฺ co uid
g ma ent G
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
p a s li
r a
mur P
Fla
l. Click OK and exit Enterprise Manager.
m. On the db1 machine, connect to the orcl database using the newly created username
and the password you entered. Check your capabilities and log out of the database.

Chapter 3 - Page 42
Practice 3-6: Cleaning Up
Overview
In this practice, you:
• Registered the orcl database with Enterprise Manager Cloud Control
• Started the Oracle Unified Directory server and the Oracle Directory Services Manager
administration tool
• Configured the LDAP server
• Configured Oracle Networking to communicate with LDAP using ldap.ora
• Registered the orcl database with LDAP by using the Database Configuration
Assistant
• Created a global user and global groups
a ble
• Configured Enterprise User Security by using Enterprise Manager Cloud Control
f e r
ans
To clean up, you: n - t r
• Remove the database from Enterprise Manager Cloud Control a no
• h a s
De-register the database from the directory service, using DBCA
• Stop the ODSM and OUD servers m ) eฺ
o
a ilฺc Guid
Tasks
g m ent
t i c @ tCloud
1. Using the browser, log on to EnterpriseaManager
S ud Control and remove the orcl
database.
a. Access the Enterprise p a sh Cloud t h s
iControl
r a Manager
s e Databases target page.
a (fp to u
s h tic ense
r a pa lic
u rP
m
Fla

Chapter 3 - Page 43
b. Select the orcl.example.com database.
c. Click Remove.
d. Confirm that you wish to remove the target. a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
e. When complete, the r p setarget page will be displayed. Verify that the removal
aDatabases
f p
was successful(and the tdatabase
o u is not in the list of databases.
a
toficEnterprise
seManager Cloud Control, and optionally shut down the em13
f. Log out
s h
a machine. e n
r a pvirtual lic When the machine is down, the xm list em13 command returns without
ur P
a response.
m [Host Desktop]$ ssh -l oracle em13
Fla oracle@em13's password:
[oracle@em13 ~]$ sudo shutdown -P now

(/dev/pts/0) at 14:23 ...

[oracle@em13 ~]$ exit
logout
Connection to em13 closed.
[Host Desktop]$ sudo xm list em13
Name ID Mem VCPUs
State Time(s)

Chapter 3 - Page 44
em13 11 9216 2
r----- 166619.5
[Host Desktop]$ # some time later
[Host Desktop]$ sudo xm list em13
Error: Domain 'em13' does not exist.
[Host Desktop]$
2. From the db1 machine, de-register the database from the directory server.
a. Log on to the db1 machine as the oracle user, set the environment using oraenv to
point to orcl, and invoke dbca.
b. Select Configure Database and click Next.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
c. Select the orcl database, enter SYS asg musername,
the
e n t provide the password for SYS,
and click Next.
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
p a s li
r a
mur P
Fla

Chapter 3 - Page 45
d. Select Yes, un-register the database, enter cn=Directory Manager as the user DN,
provide the passwords for the user and the wallet, and click Next.
a ble
f e r
ans
n - t r
o
e.
an
Click Next on the Database Components and Sample Schemas page.
s
f.
ha
Ensure the Configure Database Vault and Configure Label Security selections are NOT
selected, and click Next. )
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla
g. Click Next on the Server Mode page without making changes.

Chapter 3 - Page 46
h. Review the Summary and click Finish.
i. When the configuration has completed, click Close.
a ble
f e r
ans
n - t r
j. no
Log out of the db1 machine. Do not stop the machine because it will be used in the
a
next lesson.
h a s
m ) eฺ
o id and the Oracle
a ilฺcDirectory
3. Log in to the cl1 machine and stop the Oracle Unified
G uServer
Directory Services Manager.
g m ent
c a @ tud and stop_ds.sh.
a. Use the provided courtesy scripts, stop_wls.sh
i
htoracle i s S
[Host Desktop]$ ssh -l
a s
p se t h
cl1
r a
oracle@cl1's password:
p Decto 13u 11:14:20 2016 from 192.0.2.1
Last login:(fTue
a
tic e~]$
[oracle@cl1 sestop_wls.sh
a s h n
r a pGraceful lic
u r P This command shutdown command issued to the server "AdminServer".
might take time since the server waits for inflight
m
Fla work to finish before shutdown. If you wish to ignore inflight
work please use FORCESHUTDOWN command to override inflight work
and shutdown the server ...
Server "AdminServer" was shutdown successfully ...
[oracle@cl1 ~]$ stop_ds.sh

Stopping Server...
[13/Dec/2016:14:40:18 -0500] category=BACKEND severity=NOTICE

msgID=9896306 msg=The backend cn=OIDCompatibility,cn=Workflow
Elements,cn=config is now taken offline
msgID=9896306 msg=The backend cn=OracleContext0,cn=Workflow
elements,cn=config is now taken offline

Chapter 3 - Page 47
msgID=9896306 msg=The backend cn=userRoot,cn=Workflow
msgID=9896306 msg=The backend cn=virtualAcis,cn=Workflow

msgID=458955 msg=The Directory Server is now stopped
[oracle@cl1 ~]$
b. Shut down the cl1 machine because it will not be used for a number of lessons.
[oracle@cl1 ~]$ sudo shutdown -P now

a ble
(/dev/pts/0) at 14:43 ...
f e r
ans
n - t r
no
[oracle@cl1 ~]$ exit
s a
logout h a
) eฺ
Connection to cl1 closed. o m
[Host Desktop]$ sudo xm list cl1 a ilฺc Guid
Name g m ent ID Mem VCPUs
a @ t u d
State Time(s)
s h tic is S
cl1
p a e t h 10 1024 1 -
pra to us
b---- 4789.2
(
[Host Desktop]$f
h t ica nse
p a s lice
r a
mur P
Fla

Chapter 3 - Page 48
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 4: Using
o d
ilฺc and
Privileges
a G uiRoles
g m ent
c a @ tu4 d
Chapter
i
ht this S
a s
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
Practices for Lesson 4: Using Privileges and Roles

Chapter 4 - Page 1
Practices Overview
Real Application Security (RAS) uses an established trust relationship between the database
and the middle tier where the application is to run. With this trust relationship a user is
connected and authenticated in the middle tier. After connection from the middle tier to the
database, the middle tier tells the database which application role to use. The RAS connection
is based on proxy authentication, and the application roles are mapped to database roles.
Real Application Security is discussed in detail in the Oracle Database Security: Preventative
Controls for Developers course. That course assumes familiarity with proxy authentication and
database roles and privileges, which are discussed in this lesson.
In these practices, the security officer will implement privileges and roles and grant them to
users according to their respective job in the company.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 4 - Page 2
Practice 4-1: Using Proxy Authentication
Overview
In this practice, you use the OCI programs that simulate an in-house developed application
server: proxy_user and proxy_role. For both, the program starts by connecting to the orcl
database as the HRAPP user and creating a connection pool with 10 connections, and then it
attempts to create sessions for the PFAY user. The conditions vary and sometimes the sessions
fail to be created.
Assumptions
• This set of practices is performed on the db1 virtual machine by using the orcl instance
and the dbsec CDB instance.
• The instances and listener are assumed to be running. a ble
f e r
ans
Task
n - t r
no
1. If you did not create the SEC user in Practice 2, set your Oracle environment to the orcl
a
h a s
database instance and run the /home/oracle/labs/USERS/create_sec.sh script to
) eฺ
create this user. As the SEC user, create a user to simulate a middle-tier user.
m
o
a. Create a user with the following properties:
a ilฺc Guid
Username: HRAPP
Password: HRAPP g m ent
privilege: CREATE SESSION
t i c a@ Stud
a s h this
Note: This password is case-sensitive; it must be in uppercase.
$ . oraenv fpra
p se
(= [dbsec]
t o u
i
ORACLE_SID
t a
c nse ? orcl
a h
ThesOracle e
c base for
a p l i
r ORACLE_HOME=/u01/app/oracle/product/12.1.0/dbhome_1 is
mur P /u01/app/oracle
Fla
$ sqlplus sec
Connected to:
64bit Production
SQL> CREATE USER hrapp IDENTIFIED by HRAPP;
User created.
SQL>
SQL> GRANT create session TO hrapp;

Chapter 4 - Page 3
Grant succeeded.
SQL>
b. Verify that HRAPP can connect. (Be aware of the uppercase password).
SQL> connect hrapp

Connected.
SQL>
SQL> EXIT
$
2. As the SEC user, drop the PFAY user to avoid possible conflicts. Then, create an end user
a ble
with the following properties:
f e r
Username: PFAY ans
Password: oracle_4U n - t r
PFAY is granted the create session privilege. a no
PFAY can connect through HRAPP without a password.
h a s
3. m ) eฺ
For PFAY to connect through HRAPP, HRAPP must be a proxy. Use the GRANT CONNECT
o
THROUGH syntax to allow HRAPP to proxy PFAY.
a ilฺc Guid
$ sqlplus sec g m ent
t i c a@ Stud
Last Successful login
a s htime:thMon
is Jun 17 2013 06:05:36 +00:00
f p r ap use
Connected to:
a ( to
Oracle i c
htProduction
Database e
ns 12c Enterprise Edition Release 12.1.0.2.0 -
a s li c e
rap
64bit
ur P
m Analytics and Real Application Testing options
Fla SQL>
SQL> DROP USER pfay CASCADE;
DROP USER pfay CASCADE
*
ERROR at line 1:
ORA-01918: user 'PFAY' does not exist
SQL> CREATE USER pfay IDENTIFIED by oracle_4U;
User created.
SQL> GRANT create session TO pfay;
Grant succeeded.

Chapter 4 - Page 4
SQL> ALTER USER pfay GRANT CONNECT THROUGH hrapp;
User altered.
SQL> EXIT
$
4. The proxy_user program tests connections through the middle tier.
This program has the following arguments:
• Connection (TNS) name is required.
• Username is required.
• Password is optional.
The program performs the following steps: a ble
f e r
• Connects as the HRAPP user
ans
• Creates a connection pool of 10 connections n - t r
o
• an
Creates 10 threads that connect to the database by using one of the
s
) ha
connections from the pool. The proxy_user program makes these
connections by using the username and password parameters.
c o m ideฺ
ailฺ t Gu
• Waits for a return character from the standard input
m
• Disconnects the 10 threads, destroys the connection pool, and ends
g den
@
ica is Stu
a Start a separate terminal window to act as a client. Set the environment variables
h t
by using the oraenv utility to set the instance name to orcl. Change to the
s
p a th
/home/oracle/labs/ROLES directory.
a e
b. f pr to us
Recompile the proxy programs. Ignore the error messages.
(
t ica nse
$ cd /home/oracle/labs/ROLES
h
p a s lice
$ ./mk_proxy_user
ra
ur P
proxy_user.c: In function 'main':
m proxy_user.c:56: warning: incompatible implicit declaration of
Fla built-in function 'strlen'
proxy_user.c: In function 'threadFunction':
proxy_user.c:109: warning: incompatible implicit declaration of
built-in function 'strlen'
$ ./mk_proxy_role
proxy_role.c: In function 'main':
proxy_role.c:60: warning: incompatible implicit declaration of
proxy_role.c: In function 'threadFunction':
proxy_role.c:116: warning: incompatible implicit declaration of
$ mv proxy_user? proxy_user
$ mv proxy_role? proxy_role

Chapter 4 - Page 5
c. Test the users that you created by executing proxy_user (from the operating
system prompt) with the following command:
$ ./proxy_user orcl pfay
where orcl is the TNS name for your local instance
The proxy_user command connects PFAY without a password. Should this work?
Why?
The program should work because you set up PFAY so that the user can connect
without a password. When the program is complete, press the Enter key.
The Hit enter to end connections: line may appear out of sequence.
$ ./proxy_user orcl pfay
Database: orcl
a ble
Username: pfay
f e r
Password:
ans
Successful connection: Username: HRAPP
n - t r
o
Successful connection: Username:
s an pfay
) ha pfay
c o m ideฺ pfay
m ailฺ t Gu pfay
@ g den pfay
h t ica is Stu
Successful connection: Username: pfay
p a s
th
pfay
a
pr to us e
( f
h t ica nse
p a s lice
Hit enter to end connections:
ra
ur P
$
m d. Examine the source code for the proxy_user program (see the appendix titled
Fla “Source Code”).
5. Using the terminal window, select the information from the data dictionary that shows the
users for whom HRAPP can proxy. Save this query; you will execute it again.
$ sqlplus sec
Connected to:
64bit Production
SQL>
SQL> COL proxy FORMAT A6
SQL> COL client FORMAT A6
SQL> COL authentication FORMAT A12 WORD

Chapter 4 - Page 6
SQL>
SQL> SELECT proxy,
client,
authentication,
authorization_constraint
FROM dba_proxies
WHERE proxy = 'HRAPP';
2 3 4 5 6
PROXY CLIENT AUTHENTICATI AUTHORIZATION_CONSTRAINT
------ ------ ------------ -----------------------------------
HRAPP PFAY NO PROXY MAY ACTIVATE ALL CLIENT ROLES
a ble
SQL>
f e r
6. Modify the PFAY user so that a password is required when connecting through a middle
ans
tier.
n - t r
SQL> ALTER USER pfay
a no
GRANT CONNECT THROUGH hrapp AUTHENTICATION REQUIRED;
h a s
2
m ) eฺ
o
User altered.
a ilฺc Guid
SQL> exit g m ent
$
t i c a@ Stud
a s h thwith
7. In the terminal window, run proxy_user is the following command:
r p se
aorcl
$ ./proxy_user
( f p t o u
pfay
This command a
tic connectsse PFAY without a password. Should this work? Why?
s h e
a Theliprogram
Answer: c n should not work because the PFAY user now requires a password
r a p
u r P to$connect.
m ./proxy_user orcl pfay
Fla Database: orcl
Username: pfay
Password:
Error - ORA-28183: proper authentication not provided by proxy
Error - OCI_INVALID_HANDLE

Chapter 4 - Page 7
a ble
f e r
ans
n - t r
a no
h a s
Error - ORA-28183: proper authenticationm ) provided
not
e ฺ by proxy
o
a ilฺc Guid
g m ent
t i c a@ Stud
$
a s h this
8. Run proxy_user with rthe
f p apfollowing
u s ecommand line:
a
$ ./proxy_user( orclto pfay oracle_4U
h i c
t connectsn se PFAY with a password. Should this work? Why?
s
This command
pa Theliprogram
c e
P r a
Answer: should work because the PFAY user now connects with a
r password.
mu
Fla $ ./proxy_user orcl pfay oracle_4U
Database: orcl
Username: pfay
Password: oracle_4U

Chapter 4 - Page 8
$
9. Select the information from the data dictionary that shows the users for whom HRAPP can
proxy. (This is the same query as in step 5.) What is different from the query output in step
5?
Answer: The AUTHENTICATION column values have changed to indicate that PFAY
requires a password to connect.

$ sqlplus sec
Connected to:
64bit Production
a ble
f e r
ans
n - t r
o
SQL>
s an
SQL>COL proxy FORMAT A6
) ha
SQL>COL client FORMAT A6
c o m ideฺ
SQL>COL authentication FORMAT A12aiWORD lฺ Gu
SQL> g m e n t
SQL>SELECT proxy,
t i c a@ Stud
client,a s h this
f p r ap use
authentication,
a ( authorization_constraint
to
i c
t dba_proxies
hFROM ns e
a s c e
li proxy = 'HRAPP';
rap WHERE
ur P 2 3 4 5 6
F lam PROXY CLIENT AUTHENTICATI AUTHORIZATION_CONSTRAINT

------ ------ ------------ -------------------------------
HRAPP PFAY YES PROXY MAY ACTIVATE ALL CLIENT ROLES
SQL>
10. Change the PFAY user so that he or she can no longer connect through the middle tier.
SQL> ALTER USER pfay REVOKE CONNECT THROUGH hrapp;
User altered.
SQL> exit
$

Chapter 4 - Page 9
11. Run proxy_user with the following command:
$ ./proxy_user orcl pfay oracle_4U
This command connects PFAY with a password. Should this work? Why?
Answer: The program works because the PFAY user connects with a password.
$ ./proxy_user orcl pfay oracle_4U
Database: orcl
Username: pfay
Password: oracle_4U
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
sh command is line: ./proxy_user orcl pfay
$
12. Run proxy_user with thep a
following t h
f p r a use
a (
This command connects o
without
t a password. Should this work? Why?
s h tic should
The program
e n snote work because the PFAY user requires a password to connect.
r a pathat thelierror
Note c message is different from the message in step 7. Users do not
require the CONNECT THROUGH privilege if they connect with a username and password.
u r P $ ./proxy_user orcl pfay
m
Fla Database: orcl
Username: pfay
Password:
Error - ORA-01017: invalid username/password; logon denied

Chapter 4 - Page 10
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
Hit enter to end connections: m
g e n t
$
t i c a@ Stud
a h the proxy
13. Display the audited connectionssas
t h is user. The HOST and PORT information will
vary, however the outputa
r p bessimilar.
should e
f p
$ sqlplus /( AS SYSDBAto u
i c a e
a s ht cens
r a pConnectedli to:
u r P Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 -
m 64bit Production
Fla With the Partitioning, Oracle Label Security, OLAP, Advanced
SQL> COL dbusername FORMAT A10
SQL> COL dbproxy_username FORMAT A10
SQL> COL return_code FORMAT 999999
SQL> SELECT DISTINCT dbusername, dbproxy_username, return_code,
authentication_type
FROM unified_audit_trail
WHERE dbproxy_username='HRAPP';
2 3 4
DBUSERNAME DBPROXY_US RETURN_CODE
---------- ---------- -----------
AUTHENTICATION_TYPE
----------------------------------------------------------------
-

Chapter 4 - Page 11
PFAY HRAPP 1017
(TYPE=(DATABASE));(CLIENT
ADDRESS=((ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=
43150))));
PFAY HRAPP 28183

24516))));
PFAY HRAPP 28183

a ble
24513)))); f e r
ans
n - t r
no
PFAY HRAPP 28183
s a
h a
) eฺ
24443))));
o m
a ilฺc Guid
PFAY HRAPP 0 g m ent
(TYPE=(PROXY));(CLIENT ca@
t i S tud
s h this
ADDRESS=((ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=242
a
83))));
f p r ap use
a ( to
i c
PFAY t HRAPP s
h cen e 1017
a s li
rap
ur P
m 43157))));
Fla
… rows deleted
SQL> EXIT
$

Chapter 4 - Page 12
Practice 4-2: Exploring DBA Privileges
Overview
In this practice, the security officer manages the DBA role privileges in the non-CDB and in the
PDBs of the CDB.
Tasks
1. Investigate the number of privileges of the DBA in the non-CDB.
a. Use the oraenv utility to set the ORACLE_SID environment variable to the orcl value.
$ . oraenv
The Oracle base for
a ble
/u01/app/oracle
f e r
$
ans
n - t r
b.
no
Connect as SYSTEM in the orcl instance. Note the number of rows may vary based on
the database version and patches applied. a
h a s
$ sqlplus system
m ) eฺ
o
Enter password: ****** a ilฺc Guid
g m ent
Connected to:
t i c a@ Stud
Oracle Database 12c a s h this Edition Release 12.1.0.2.0 -
Enterprise
64bit Production
f p r ap use
With the a ( to Oracle Label Security, OLAP, Advanced
Partitioning,
i c
ht cand
Analytics e
nsReal Application Testing options
a s li e
r ap
ur P
SQL> SELECT * FROM session_roles ORDER BY 1;
m
Fla ROLE
----------------------------------------------------------------
-
AQ_ADMINISTRATOR_ROLE
CAPTURE_ADMIN
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
DBA
DELETE_CATALOG_ROLE
EM_EXPRESS_ALL
EM_EXPRESS_BASIC
EXECUTE_CATALOG_ROLE
EXP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS

Chapter 4 - Page 13
HS_ADMIN_EXECUTE_ROLE
HS_ADMIN_SELECT_ROLE
IMP_FULL_DATABASE
JAVA_ADMIN
JAVA_DEPLOY
OLAP_DBA
OLAP_XS_ADMIN
OPTIMIZER_PROCESSING_RATE
SCHEDULER_ADMIN
SELECT_CATALOG_ROLE
WM_ADMIN_ROLE
XDBADMIN
a ble
XDB_SET_INVOKER
f e r
XS_RESOURCE
ans
n - t r
o
25 rows selected.
s an
SQL> SELECT * FROM session_privs ORDER BY )
ha
c o m ideฺ
1;
m ailฺ t Gu
PRIVILEGE
@ g den
h t icaSETis Stu
----------------------------------------
ADMINISTER ANY SQL TUNING
p a sTRIGGERth
ADMINISTER DATABASE
f p r a use
ADMINISTER (RESOURCEo MANAGER
i c e t
a SQLsMANAGEMENT
h t
ADMINISTER
s e n OBJECT
a
apADMINISTER lic SQL TUNING SET
r
ur P
ADVISOR
m … rows deleted
Fla UNLIMITED TABLESPACE
UPDATE ANY CUBE
UPDATE ANY CUBE BUILD PROCESS
UPDATE ANY CUBE DIMENSION
UPDATE ANY TABLE
USE ANY SQL TRANSLATION PROFILE
222 rows selected.
SQL>
Notice that the SYSTEM user is not granted the SYSDBA privilege.

Chapter 4 - Page 14
c. Connect as SYS in the orcl instance.
Connected.
SQL> SELECT * FROM session_roles ORDER BY 1;
no rows selected
SQL> SELECT * FROM session_privs ORDER BY 1;
PRIVILEGE
----------------------------------------
ADMINISTER ANY SQL TUNING SET
a ble
ADMINISTER DATABASE TRIGGER
f e r
… rows deleted
ans
SYSDBA
n - t r
o
SYSOPER
s an
TRANSLATE ANY SQL
) ha
UNDER ANY TABLE
c o m ideฺ
UNDER ANY TYPE
m ailฺ t Gu
UNDER ANY VIEW
@ g den
UNLIMITED TABLESPACE
h t ica is Stu
UPDATE ANY CUBE
p a s th
a
pr to us
UPDATE ANY CUBE BUILD PROCESS e
( f
ica nse
h t
UPDATE ANY TABLE
s lice
a p a
r
m ur P
Fla
234 rows selected.
SQL> EXIT
$
2. Now investigate if there are distinct DBAs for the root container and in the pdb1 and pdb2
containers in the dbsec instance.
a. Use the oraenv utility to set the ORACLE_SID environment variable to the dbsec
value.
$ . oraenv
The Oracle base for
/u01/app/oracle
$

Chapter 4 - Page 15
b. Connect as SYSTEM in the dbsec instance.
$ sqlplus system

Connected to:
64bit Production
a ble
SQL> col role format a30
f e r
SQL> SELECT role, common, con_id FROM cdb_roles
ans
WHERE role like '%DBA%' ORDER BY 1, 3;
n - t r
n o
CON_ID s a
ha
ROLE COM
)
m 1ideฺ
------------------------------ --- ----------
YES lฺco
CDB_DBA
YESa
i G u3
CDB_DBA m t
gYES den 4
@ tu
ica is S
CDB_DBA
DBA
s h t YES 1
a
p se t YES h
DBA
r a 3
DBA
a (fp to u YES 4
s h tic ense
LBAC_DBA YES 1
apa
LBAC_DBA lic YES 3
r
ur P
LBAC_DBA YES 4
m OLAP_DBA YES 1
Fla OLAP_DBA YES 3
ROLE COM CON_ID

------------------------------ --- ----------
OLAP_DBA YES 4
PDB_DBA YES 1
PDB_DBA YES 3
PDB_DBA YES 4
XDBADMIN YES 1
XDBADMIN YES 3
XDBADMIN YES 4
18 rows selected.

Chapter 4 - Page 16
SQL>
There are two types of DBA roles. The common DBA role systematically granted to any
SYSTEM user created in a new PDB: the DBA role owns many system privileges. The
common PDB_DBA role is also systematically granted to any SYSTEM user created in a new
PDB. The common PDB_DBA owns only three system privileges. In each PDB, the user
being granted the DBA role, like the SYSTEM user, is able to grant distinct responsibilities to
the administrators of the PDB he or she is responsible for.

SQL> SELECT username, con_id
FROM cdb_users
WHERE username = 'SYSTEM'
ORDER BY 1,2;
a ble
USERNAME CON_ID
f e r
-------------- ----------
ans
n - t r
no
SYSTEM 1
SYSTEM 3
s a
SYSTEM 4 h
) eฺa
o m
3 rows selected. a ilฺc Guid
SQL> g m ent
There are as many DBAs as containers:t i c a@ S
one for tudroot container and one DBA for each
the
PDB, except PDB$SEED. ash h is
p to create
aDBA t
e a junior DBA to whom you grant the local
c. Connect as the pdb1
( f p r u s
PDB_DBA role.
i c a e to
s
SQL> t ensystem@pdb1
hCONNECT s
a a li c
pEnter password:
P r ******
u r Connected.
l a m SQL> COL grantee FORMAT A16
F SQL> COL privilege FORMAT A26
SQL> SELECT * FROM dba_sys_privs WHERE grantee='PDB_DBA'
ORDER BY 1,2;
GRANTEE PRIVILEGE ADM COM

---------------- -------------------------- --- ---
PDB_DBA CREATE PLUGGABLE DATABASE NO NO
PDB_DBA CREATE SESSION NO NO
PDB_DBA SET CONTAINER NO NO
3 rows selected.
SQL> CREATE USER dba_junior IDENTIFIED BY oracle_4U;

Chapter 4 - Page 17
User created.
SQL> GRANT create any table,

create user, create role,
create tablespace TO pdb_dba;
2 3
Grant succeeded.
SQL> GRANT pdb_dba TO dba_junior;
Grant succeeded.
a ble
SQL> CONNECT dba_junior@pdb1
f e r
ans
Connected.
n - t r
o
s an
) ha
PRIVILEGE
c o m ideฺ
--------------------------
m ailฺ t Gu
CREATE ANY TABLE
CREATE PLUGGABLE DATABASE a@
g den
h t ic is Stu
CREATE ROLE
CREATE SESSION apa
s th
pr to us e
( f
CREATE TABLESPACE
ca nse
CREATEtiUSER
h
p a
SET sCONTAINER
l i c e
r a
m ur P 7 rows selected.
Fla
SQL>
d. Connect as the pdb2 DBA to create a junior DBA to whom you grant the local
PDB_DBA role with different privileges.
Connected.
SQL> CREATE USER dba_junior IDENTIFIED BY oracle_4U;
User created.
SQL> GRANT create user, create role,

create tablespace TO pdb_dba;
2

Chapter 4 - Page 18
Grant succeeded.
SQL> GRANT pdb_dba TO dba_junior;
Grant succeeded.
SQL> CONNECT dba_junior@pdb2

Connected.
PRIVILEGE
a ble
--------------------------
f e r
CREATE PLUGGABLE DATABASE
ans
CREATE ROLE
n - t r
o
CREATE SESSION
s an
CREATE TABLESPACE
) ha
CREATE USER
c o m ideฺ
SET CONTAINER
m ailฺ t Gu
@ g den
6 rows selected.
h t ica is Stu
p a s th
SQL> EXIT a
pr to us e
$ ( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 4 - Page 19
Practice 4-3: Granting SYSBACKUP Administrative Privilege
Overview
In this practice, you manage the password file with the new 12 format dedicated to new
administrative privileges like SYSBACKUP.
Tasks
1. Make sure you are in the ~/labs/PRIV directory and your environment points to the orcl
instance.
$ cd ~/labs/PRIV
$ . oraenv
ORACLE_SID = [dbsec] ? orcl
The Oracle base for
a ble
ORACLE_HOME=/u01/app/oracle/product/12.1.0/dbhome_1 is f e r
ans
/u01/app/oracle
n - t r
no
$
2. Run the SYSBACKUP_setup.sh script to recreate the password file.
s a
$ ./SYSBACKUP_setup.sh h
) eฺa
o m
$
a i lฺc Guid
g m and
3. Connect with OS authentication with AS SYSBACKUP
e n tcheck the user connected.
$ sqlplus / as sysbackup a@
t i c S tud
a s h this
Connected to: ap e
f p r u s
i c a ( se12cto Enterprise Edition Release 12.1.0.2.0 -
Oracle Database
64bit tProduction
p a
Withshthe liPartitioning,
c en Oracle Label Security, OLAP, Advanced
r a Analytics and Real Application Testing options
u rP
m
Fla SQL> show user
USER is "SYSBACKUP"
SQL>
4. List the privileges granted to the SYSBACKUP user. Only a few privileges are granted to the
SYSBACKUP user. The SYSBACKUP privilege is granted to the SYSBACKUP user.
SQL> set pages 22
SQL> select * from session_privs order by 1;
PRIVILEGE
----------------------------------------
ALTER DATABASE
ALTER SESSION
ALTER SYSTEM
ALTER TABLESPACE

Chapter 4 - Page 20
AUDIT ANY
CREATE ANY CLUSTER
CREATE ANY DIRECTORY
CREATE ANY TABLE
DROP TABLESPACE
RESUMABLE
SELECT ANY DICTIONARY
SELECT ANY TRANSACTION
SYSBACKUP
UNLIMITED TABLESPACE
14 rows selected.
a ble
f e r
SQL>
a n s
r
-t more
5. Connect AS SYSDBA and list the privileges granted to the SYS user. There arenmuch
privileges granted to the SYS user. n o
s a
SQL> connect / as sysdba
) ha
Connected.
c o m1; ideฺ
ailฺ t Gu
SQL> select * from session_privs ORDER BY
m
g den
@
ica is Stu
PRIVILEGE
s h t
----------------------------------------
ADMINISTER ANY a p
SQLaTUNING e h
tSET
f pr to TRIGGER
ADMINISTER (DATABASE us
h t ica KEY
ADMINISTER
n e
sMANAGEMENT
a s
pADMINISTER e
lic RESOURCE MANAGER
r a
ur P
ADMINISTER SQL MANAGEMENT OBJECT
m rows deleted …
Fla UPDATE ANY CUBE BUILD PROCESS
UPDATE ANY TABLE
234 rows selected.
SQL>

Chapter 4 - Page 21
6. Display from the V$PWFILE_USERS view. The SYS user is the only user defined in the
password file with SYSDBA and SYSOPER privileges only. The SYSBACKUP user is not
registered in the password file.
SQL> select * from v$pwfile_users;

-------- ----- ----- ----- ----- ----- ----- ------
SYS TRUE TRUE FALSE FALSE FALSE FALSE 0
SQL>
7. Create a new user JOHN that will be granted the SYSBACKUP privilege in order to perform
a ble
backup, restore, and recover operations, and hence act as the SYSBACKUP user.
f e r
SQL> CREATE USER john IDENTIFIED BY oracle_4U;
ans
n - t r
User created. a no
h a s
SQL> GRANT create session, sysbackup TO m ) eฺ
GRANT create session, sysbackup TO ijohn
o john;
lฺc Guid
a
m ent
* g
ERROR at line 1:
t i c a@ Stud
ORA-28017: The password
a s h file t h isis in the legacy format.
f p r ap use
a ( to
i c
t ens
SQL> hEXIT e
a s lic
P r ap$
u r8.Because the password file had been created in legacy format, not compatible with the
m SYSBACKUP entry, it does not accept any SYSBACKUP entry.
Fla a. Recreate the file in 12 format, compatible with the SYSBACKUP entry.
$ cd $ORACLE_HOME/dbs
$ rm orapworcl
$ orapwd file=orapworcl password=oracle_4U entries=10 format=12
$
b. Finally register JOHN in the password file.
Connected to:
64bit Production

Chapter 4 - Page 22
SQL> grant create session, SYSBACKUP to john;
Grant succeeded.
SQL> select * from v$pwfile_users;


-------------- ----- ----- ----- ----- ----- ----- ----------
SYS TRUE TRUE FALSE FALSE FALSE FALSE 0
JOHN FALSE FALSE FALSE TRUE FALSE FALSE 0
SQL>
c. Attempt a remote connection in SQL*Plus. a ble
f e r
SQL> connect john@orcl as SYSBACKUP
ans
n - t r
Connected.
a no
SQL> SHOW USER
h a s
USER is "SYSBACKUP" m ) eฺ
o
SQL> EXIT
a ilฺc Guid
$ g m ent
d. Test the remote connection in RMAN.
t i c a@ Stud
a s h this
$ rman target john/oracle_4U@orcl
f p r ap use
Recovery a ( o
tRelease
t i c Manager:
s e 12.1.0.2.0 - Production on Mon Nov 26
p a sh licen
06:28:43 2012
P ra Copyright (c) 1982, 2012, Oracle and/or its affiliates.

u r All
m rights reserved.
Fla
RMAN-00571: ==================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS
RMAN-00571: ==================================================
RMAN-00554: initialization of internal recovery manager package
failed
RMAN-04005: error from target database:
$
$ rman target '"john@orcl AS SYSBACKUP"'
target database Password: ******

connected to target database: ORCL (DBID=1345659572)

Chapter 4 - Page 23
RMAN> select user from dual;
using target database control file instead of recovery catalog

USER
------------------------------
SYSBACKUP
RMAN> exit
Recovery Manager complete.

$
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 4 - Page 24
Practice 4-4: Implementing a Secure Application Role
Overview
This practice depends on Practice 4-1 for users and roles. It assumes that the SEC user has
been created and granted certain privileges, and that the PFAY and HRAPP users have also
been created. Related scripts are in /home/oracle/labs/ROLES.
Tasks
1. As the SEC user, create the HR_EMP_CLERK and HR_EMP_MGR roles. If you need to create
the SEC user, use the /home/oracle/labs/USERS/create_sec.sh shell script.
$ sqlplus sec
a ble
Connected to:
f e r
ans
64bit Production
n - t r
o
an
s
ha
)
m ideฺ
c o
ailฺ t Gu
SQL> CREATE ROLE hr_emp_clerk;
m
g den
Role created.
@
h t ica is Stu
a s
SQL> CREATE ROLE hr_emp_mgr;
p th
a
pr to us e
( f
ica nse
Role created.
h t
s lice
a p a
SQL>
r
mur P
Fla SQL> GRANT hr_emp_clerk, hr_emp_mgr TO pfay;
Grant succeeded.
SQL>
2. Give PFAY the ability to enable the HR_EMP_CLERK role through the HRAPP middle tier.
SQL> ALTER USER pfay
GRANT CONNECT THROUGH hrapp
WITH ROLE hr_emp_clerk;
2 3
User altered.
SQL> EXIT
$

Chapter 4 - Page 25
3. The proxy_role program enables roles through the middle tier. You simulate a middle tier
by using a service name in the connect string. This program has the following arguments:
Connection (TNS) name: Required
Name of the role to be enabled: Required
Username: Required
Password: Optional
The program performs the following steps:

1) Connects as the HRAPP user
2) Creates a connection pool of 10 connections
3) Creates 10 threads that connect to the database by using one of the connections
from the pool. The proxy_role program makes these connections using the
username and password parameters.
4) Enables the role for the user
a ble
Test the user that you created by executing proxy_role (from the operating system f e r
prompt) with the following command line: ans
n - t r
$ /home/oracle/labs/ROLES/proxy_role orcl hr_emp_clerk pfay
a no
This command connects PFAY without a password and enables the HR_EMP_CLERK role.
Should this work? Why? h a s
m ) eฺ
o
ฺc Guworks id because PFAY can
Be sure to use the name of your database insteadaofilorcl. This
enable the HR_EMP_CLERK role through HRAPP. g m ent
Note: Because each connection hasic
@ tudthe following output is not sequential
itsaown thread,
t
h differ
and the order of the output linessmay i s
for
S
each execution.
p a e t h
( f p ra us
$ /home/oracle/labs/ROLES/proxy_role orcl hr_emp_clerk pfay
Database:aorcl
c e t o
Role:h t i s
p a s licpfay en
hr_emp_clerk
Pra
Username:
r
mu
Password:
Fla
Role successfully enabled: hr_emp_clerk

Chapter 4 - Page 26

$
4. Examine the source code for the proxy_role program. Execute proxy_role to enable
the HR_EMP_MGR role for PFAY, using the following command line:
$ /home/oracle/labs/ROLES/proxy_role orcl hr_emp_mgr pfay
This command connects PFAY without a password and enables the HR_EMP_MGR role.
Should this work? Why? a ble
f e r
Answer: It does not work. The reason is that PFAY does not have permission to enable the
ans
HR_EMP_MGR role through HRAPP.
n - t r
o
an
$ /home/oracle/labs/ROLES/proxy_role orcl hr_emp_mgr pfay
s
Database: orcl
) ha
Role: hr_emp_mgr
c o m ideฺ
Username: pfay
m ailฺ t Gu
Password:
@ g den
h t ica is Stu
p a s
th
a
pr to us e
( f
ica nse
h t
s lice
a p a
r
ur P
Error - ORA-01924: role 'HR_EMP_MGR' not granted or does not
m exist
Fla
exist

exist

exist

exist

Chapter 4 - Page 27
exist

exist

exist

a ble
exist
f e r
a n s
Error - ORA-01924: role 'HR_EMP_MGR' not granted or does n r
-tnot
exist n o
s a
) ha
$
c o m ideฺ
ilฺ theGusers
5. Select the information from the data dictionary that shows
a u for whom HRAPP can
proxy. What has changed? m
g den t
The AUTHORIZATION_CONSTRAINT column
c @ t u that the proxy can only set some
a indicates
roles for the end user. t i
h this S
a s
$ sqlplus sec ap e
f p r
( ****** u s
Enter password:
i c a e to
a s ht cens
Connected.
r a pSQL> li
u r P SQL> COL proxy FORMAT A6
m
Fla
SQL> COL client FORMAT A6
SQL> COL authentication FORMAT A12 WORD
SQL>
SQL> SELECT proxy,
client,
authentication,
authorization_constraint
FROM dba_proxies
WHERE proxy = 'HRAPP';
PROXY CLIENT AUTHENTICATI AUTHORIZATION_CONSTRAINT

------ ------ ------------ -----------------------------------
HRAPP PFAY NO PROXY MAY ACTIVATE ROLE
SQL>

Chapter 4 - Page 28
6. Look at the tab_app_roles.sql script. It creates a table similar to the one presented in
the lesson, which is used to limit the IP addresses from which users can enable roles.
Execute the script. Note that the SEC user connects through the listener. The
SEC.APP_ROLES table is populated with the IP address of the current client IP address.
The SYS_CONTEXT(‘USERENV’,’IP_ADDRESS’) function is not populated unless the
user connects through the listener. You must enter the net service name of your database.
Enter the name of your database in the form of orcl. Remember that the password for SEC
is oracle_4sec.
SQL> @/home/oracle/labs/PRIV/tab_app_roles.sql
SQL> CONNECT sec@orcl
Connected.
SQL>
a ble
SQL> ALTER USER sec DEFAULT TABLESPACE example QUOTA UNLIMITED
f e r
ON example;
ans
n - t r
User altered.
a no
h a s
SQL>
m ) eฺ
o
lฺc Guid
SQL> DROP TABLE app_roles;
a i
DROP TABLE app_roles
g m ent
*
t i c a@ Stud
ERROR at line 1:
a h this
sview
ORA-00942: table p e
r a or
s does not exist
a (fp to u
h ticKEY,eTABLE
SQL> CREATE
s n se app_roles (id NUMBER CONSTRAINT app_roles_pk
apausernamelic VARCHAR2(30)NOT NULL, role VARCHAR2(30), ip_address
PRIMARY
r
ur P VARCHAR2(15),
F lam CONSTRAINT app_roles_uk UNIQUE (username, role, ip_address));
Table created.
SQL> INSERT INTO app_roles

2 VALUES (1, 'PFAY', 'HR_EMP_MGR',
3 sys_context('userenv','ip_address'));
1 row created.
SQL> COMMIT;
Commit complete.
7. As the SEC user, drop the HR_EMP_MGR role.
SQL>

Chapter 4 - Page 29
SQL> DROP ROLE hr_emp_mgr;
Role dropped.
SQL>
8. Create a secure application role with the following properties:

Name: HR_EMP_MGR
Enabled in the SEC.APP_ROLES_PKG package
SQL> CREATE ROLE hr_emp_mgr IDENTIFIED USING sec.app_roles_pkg;
Role created.
a ble
SQL> f e r
ans
9. Review the application code. How does it verify that the role can be enabled? Execute the
application code. n - t r
o
set echo on
s an
DROP PACKAGE app_roles_pkg;
) ha
c o m ideฺ
CREATE OR REPLACE PACKAGE app_roles_pkg
m ailฺ t Gu
AUTHID CURRENT_USER
@ g den
IS
h t ica is Stu
PROCEDURE set_role
p a s ( th
p_role_name
p r aVARCHAR2
u s e);
a ( f to
END;
/ sht
i c ns e
a li c e
rap
ur P CREATE OR REPLACE PACKAGE BODY app_roles_pkg IS
F lam PROCEDURE set_role (

p_role_name VARCHAR2 )
AS
v_id app_roles.id%TYPE;
BEGIN
SELECT id
INTO v_id
FROM sec.app_roles
WHERE username = sys_context('userenv','current_user')
AND role = p_role_name
AND ip_address = sys_context('userenv','ip_address');
dbms_session.set_role(p_role_name);
END;
END;
/

Chapter 4 - Page 30
The role can be enabled if the role name, username, and IP address of the client are in the
APP_ROLES table. This restricts which users can enable which roles from a particular client
address. (The code is in /home/oracle/labs/ROLES/create_app_roles.sql.)
SQL> set echo on
SQL>
SQL> DROP PACKAGE app_roles_pkg;

DROP PACKAGE app_roles_pkg
*
ERROR at line 1:
ORA-04043: object APP_ROLES_PKG does not exist
SQL>
a ble
f e r
SQL> CREATE OR REPLACE PACKAGE app_roles_pkg
ans
AUTHID CURRENT_USER
n - t r
o
an
IS
PROCEDURE set_role (
ha s
p_role_name VARCHAR2 ); )
m ideฺ
c o
ailฺ t Gu
END;
/ m
g den
@
ica is Stu
2 3 4 5 6 7
s h t
Package created. pa
a e th
( f pr to us
SQL> tica se
a s h c e n
a
SQL>
p l i
CREATE OR REPLACE PACKAGE BODY app_roles_pkg IS
r
ur P
PROCEDURE set_role (
m p_role_name VARCHAR2 )
Fla AS
v_id app_roles.id%TYPE;
BEGIN
SELECT id
INTO v_id
FROM sec.app_roles
WHERE username =
sys_context('userenv','current_user')
AND role = p_role_name
AND ip_address = sys_context('userenv','ip_address');
dbms_session.set_role(p_role_name);
END;
END;
/

Chapter 4 - Page 31
2 3 4 5 6 7 8 9 10 11 12 13 14
15 16
Package body created.
SQL>
10. As the SEC user, allow anyone to execute the SEC.APP_ROLES_PKG package and select
from the SEC.APP_ROLES table. The user needs read access to the table because the
package runs by using the privileges of the current user. What security problems does this
create, and how can they be resolved?
SQL> GRANT execute ON app_roles_pkg TO public;
Grant succeeded.
a ble
f e r
SQL> GRANT select ON app_roles TO public;
ans
n - t r
Grant succeeded.
a no
h a s
SQL>
m ) eฺ
11. Allowing anyone to execute the SEC.APP_ROLES_PKG o
ฺcpackage id not create any
uthedoes
security problems because the appropriate rowm ailappear
must t G
in APP_ROLES table
before a role can be enabled. Giving read@ g
access to d e n
SEC.APP_ROLES allows any user to
i
see which users can enable which trolesc afrom aS tu If this is determined to be a security
client.
a h only
risk, you can create a view thatsshows
t h isthose rows that are related to the current user.
The view would includerthe
f p apfollowing
u s epredicate:
a
WHERE username ( = sys_context('userenv','current_user')
to
i c e
ht cethenfollowing
Test by performing s steps:
a. p a s
Connect asliPFAY through the listener (you must use a service name orcl). Be sure to
r a
u rP use your instance name instead of orcl.
m b. Query SESSION_ROLES to see which roles are enabled.
Fla c. Use the SEC.APP_ROLES_PKG package to enable the role.
d. Query SESSION_ROLES to see which roles are enabled.
Note: The HR_EMP_CLERK role that is enabled after the initial connection is from a
previous step.
SQL> CONNECT pfay@orcl
Connected.
SQL>
SQL> SELECT * FROM session_roles;
ROLE
------------------------------
HR_EMP_CLERK

Chapter 4 - Page 32
SQL>
SQL> EXEC sec.app_roles_pkg.set_role('HR_EMP_MGR');
PL/SQL procedure successfully completed.

SQL>
ROLE
------------------------------
HR_EMP_MGR
a ble
SQL>
f e r
12. What do you expect will happen if, as the PFAY user, you try to enable the HR_EMP_MGR
ans
role by using the SET ROLE command? Try it.
n - t r
no
Answer: It should return an error because it is a secure application role.
a
SQL> SET ROLE hr_emp_mgr;
h a s
SET ROLE hr_emp_mgr m ) eฺ
o
*
a ilฺc Guid
ERROR at line 1: g m ent
ORA-28201: Not enough privileges
t i c udenable application role
a@ Stto
'HR_EMP_MGR'
a s h this
f p r ap use
SQL>
a ( to
i c
ht cens e
a s li
rap
mur P
Fla

Chapter 4 - Page 33
13. As the SEC user, select the secure application role information from the data dictionary.
SQL> CONNECT sec
Connected.
SQL>
SQL> COL role FORMAT A12

SQL> COL schema FORMAT A12
SQL> COL package FORMAT A30
SQL>
SQL> SELECT *
FROM dba_application_roles
WHERE ROLE = 'HR_EMP_MGR';
a ble
2 3 4
f e r
ans
ROLE SCHEMA PACKAGE n - t r
o
an
------------ ------------ ------------------------------
s
HR_EMP_MGR SEC APP_ROLES_PKG
) ha
c o m ideฺ
SQL>
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 4 - Page 34
Practice 4-5: Enabling Roles at Run Time by Using CBAC
Overview
In this practice, you will learn how to enable database roles at run time, enabling the procedure
unit to execute with the required privileges in the calling user's environment. This is called Code
Based Access Control (CBAC).
Tasks
1. Before testing the CBAC feature, execute the CBAC_priv.sql script. This script creates
the end user U1, the schema APP, and the APP.T1 table.
Connected.
SQL> @/home/oracle/labs/ROLES/CBAC_priv.sql
a ble
SQL> drop user u1 cascade;
f e r
drop user u1 cascade
ans
n - t r
no
*
ERROR at line 1:
s a
ORA-01918: user 'U1' does not exist h a
) eฺ
o m
SQL> drop user app cascade; a ilฺc Guid
drop user app cascade g m ent
*
t i c a@ Stud
ERROR at line 1:
a s h this
r p does
a'APP' s e not exist
ORA-01918: user
( f p to u
i c a e
SQL> ht ns
a s c e
li user u1 identified by oracle_4U default tablespace
rapSQL> create
ur P
users;
m
Fla User created.
SQL> grant create session, create procedure to u1;
Grant succeeded.
SQL> create user app identified by oracle_4U default tablespace

users;
User created.
SQL> grant create session, create table, create procedure,

unlimited tablespace to app;
Grant succeeded.

Chapter 4 - Page 35
SQL> create table app.T1 (code number);
Table created.
SQL> insert into app.T1 values (1);
1 row created.
SQL>
SQL> commit;
a ble
Commit complete.
f e r
ans
SQL>
n - t r
SQL>
a no
a s IVPROC and a
2. The APP schema creates two procedures: an invoker’s right procedure,
h
definer’s right procedure, DFPROC. m ) eฺ
o
ilฺc Guid
a. Create the two procedures using the following codes:
a
CREATE OR REPLACE PROCEDURE app.ivproc g m en(CODEt in varchar2)
@ d
AUTHID CURRENT_USER AS
h t ica is Stu
v_code number;
p a s th
BEGIN a
pr v_code e
us FROM app.t1;
SELECT code(fINTO t o
h t ica nse
dbms_output.put_line('Code is: '||v_code);
a s
pEND ivproc; li c e
r a
u rP /
m
Fla
SQL> CONNECT app
Connected.
SQL> CREATE OR REPLACE PROCEDURE app.ivproc (CODE in varchar2)

v_code number;
BEGIN
SELECT code INTO v_code FROM app.t1;
dbms_output.put_line('Code is from Invoker right procedure:
'||v_code);
END ivproc;
/
2 3 4 5 6 7 8
Procedure created.

Chapter 4 - Page 36
SQL>
b. Create the second procedure.
CREATE OR REPLACE PROCEDURE app.dfproc (CODE in varchar2)
AS
v_code number;
BEGIN
dbms_output.put_line('Code is from Definer right procedure:
'||v_code);
END dfproc;
/
a ble
SQL> CREATE OR REPLACE PROCEDURE app.dfproc (CODE in varchar2)
f e r
AS
ans
v_code number;
n - t r
BEGIN
a no
h a s
m ) eฺ
dbms_output.put_line('Code is from Definer right procedure:
o
'||v_code);
a ilฺc Guid
END dfproc;
g m ent
/
t i c a@ Stud
2 3 4 5 6
a s h this
7 8
Procedure created.
f p r ap use
( to
SQL> tica e
a s h cens
3. You p
r a li role. Grant SELECT on APP.T1 to the role. Create ROLE2. Grant
create the ROLE1
ur P
SELECT on SH.SALES to the role and grant the role directly to the end user U1.
m
Fla
Connected.
SQL> CREATE ROLE role1;
Role created.
SQL> GRANT select ON APP.T1 to role1;
Grant succeeded.
SQL> CREATE ROLE role2;
Role created.

Chapter 4 - Page 37
SQL> GRANT select ON SH.SALES to role2;
Grant succeeded.
SQL> GRANT role2 TO u1;

Grant succeeded.
SQL>
4. Grant the ROLE1 role to the invoker’s right procedure IVPROC and to the definer’s right
procedure, DFPROC.
SQL> CONNECT app
a ble
f e r
Connected.
ans
SQL> GRANT role1 TO PROCEDURE app.ivproc; n - t r
GRANT role1 TO PROCEDURE app.ivproc a no
*
h a s
m ) eฺ
ERROR at line 1:
o
a ilฺc Guid
ORA-01924: role 'ROLE1' not granted or does not exist
g m ent
SQL>
t i c a@ Stud
5. Because the CBAC roles canabe s hgrantedthonly
is to a program unit when the role is directly
r
granted to the procedures’
f p apowner,ugrant
s e the ROLE1 role to the APP procedures’ owner.
a ( / as tsysdba
o
c
SQL> CONNECT
i
ht cens e
a s
Connected.
pSQL> GRANTli role1 TO app WITH ADMIN OPTION;
r a
mur P
SQL>
6. Now grant the role to the procedural units.
SQL> CONNECT app
Connected.
SQL> GRANT role1 TO PROCEDURE app.ivproc, PROCEDURE app.dfproc ;
Grant succeeded.
SQL>

Chapter 4 - Page 38
7. Grant the EXECUTE privilege on both procedures to the U1 end user.
SQL> GRANT execute ON app.ivproc TO u1;
Grant succeeded.
SQL> GRANT execute ON app.dfproc TO u1;
Grant succeeded.
SQL>
8. Connect as U1 and test how the CBAC enables roles at run time.
a. Test the app.ivproc procedure.
a ble
f e r
SQL> CONNECT u1
ans
n - t r
Connected.
a no
h a s
m ) eฺ
o
ROLE
a ilฺc Guid
m ent
----------------------------------------------------------------
g
a@ Stud
-
ROLE2 t i c
h this
a s
f
SQL> SET SERVEROUTPUT p r ap uON s e
a ( to
SQL> EXEC
i c
hist from e
app.ivproc(1)
s
nInvoker
Code
p a s l i c e right procedure: 1
ra
ur P PL/SQL procedure successfully completed.
F lam
ROLE
----------------------------------------------------------------
-
ROLE2
SQL>
Notice that the active role at login time is ROLE2 only.

Chapter 4 - Page 39
b. Test the app.dfproc procedure.
SQL> EXEC app.dfproc(1)
Code is from Definer right procedure: 1

ROLE
----------------------------------------------------------------
ROLE2
SQL>
a ble
f e r
Notice that the execution completes as in 8.a.
ans
c. Drop ROLE1 and retest.
n - t r
o
SQL> CONNECT system
s an
) ha
Connected.
c o m ideฺ
ailฺ t Gu
SQL> DROP ROLE role1;
m
g den
@
Role dropped.
h t ica is Stu
SQL> CONNECT u1apa
s th
pr ******us e
Enter password: ( f t o
h t ica nse
Connected.
p a
SQL>s SELECT
l i c e* FROM session_roles;
r a
m ur P ROLE
Fla ----------------------------------------------------------------
-
ROLE2
SQL> SET SERVEROUTPUT ON

SQL> EXEC app.ivproc(1)
BEGIN app.ivproc(1); END;
*
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "APP.IVPROC", line 5

Chapter 4 - Page 40
SQL> EXEC app.dfproc(1)
Code is from Definer right procedure: 1

SQL>
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 4 - Page 41
Practice 4-6: Executing Invoker's Right Procedure by Using the
INHERIT PRIVILEGES Privilege (Optional)
Overview
In this practice, you use the new INHERIT PRIVILEGES privilege when creating invoker’s
rights procedures. This practice assumes you have completed Practice 4-5. Related scripts
are in /home/oracle/labs/PRIV.
Tasks
1. Connected as SYSTEM, execute the inherit_priv.sql script to create the U1, U2, and
KATE users and the U2.T1 table.
SQL> CONNECT system
a ble
Connected. f e r
SQL> @/home/oracle/labs/PRIV/inherit_priv.sql ans
n - t r
o
s an
User dropped.
) ha
c o m ideฺ
m ailฺ t Gu
drop user u2 cascade
@ g den
*
h t ica is Stu
ERROR at line 1: as h
a p e tnot
ORA-01918: user
( f pr to us
'U2' does exist
h t ica nse
p a s lice
ra SQL> drop user kate;
ur P drop user kate
F lam *
ERROR at line 1:
ORA-01918: user 'KATE' does not exist
SQL> create user kate identified by oracle_4U;
User created.
SQL> grant create session to kate;
Grant succeeded.
SQL> revoke INHERIT PRIVILEGES ON USER KATE from public;

Chapter 4 - Page 42
Revoke succeeded.
SQL> create user u1 identified by oracle_4U default tablespace

users;
User created.
SQL> grant create session, create procedure to u1;
Grant succeeded.
SQL> create user u2 identified by oracle_4U default tablespace

users;
a ble
f e r
ans
User created.
n - t r
o
s an
SQL> grant create session, create table, unlimited tablespace to
u2;
) ha
c o m ideฺ
Grant succeeded.
m ailฺ t Gu
@ g den
SQL> create table u2.T1 ic
t (code S tu
a number);
a s h t hi s
p e
Table created.
( f pra to us
h t ica inton se u2.T1 values (1);
s
SQL> insert e
rapa lic
ur P 1 row created.
F lam
SQL> commit;
Commit complete.
SQL> grant select on u2.T1 to u1;
Grant succeeded.
SQL> grant select on u2.T1 to kate;
Grant succeeded.
SQL>
SQL>

Chapter 4 - Page 43
2. The developer U1 creates an invoker’s rights procedure that selects rows from the U2.T1
table.
The user U1 is granted the SELECT privilege on the U2.T1 table.
a. Connect as the U1 user.
SQL> connect u1

Connected.
SQL>
b. Create the U1.PROC2 procedure.
CREATE OR REPLACE PROCEDURE u1.proc2 (CODE in varchar2)
v_code number;
a ble
BEGIN
f e r
SELECT code INTO v_code FROM u2.t1;
ans
dbms_output.put_line('Code is: '||v_code);
n - t r
END PROC2;
a no
/
h a s
SQL> CREATE OR REPLACE PROCEDURE u1.proc2 m )(CODEeinฺ varchar2)
c o i d
a ilฺ Gu
v_code number; g m e n t
BEGIN
t i c a@ Stud
SELECT code INTO v_code
a s h FROM t h isu2.t1;
r ap use is: '||v_code);
dbms_output.put_line('Code
f p
END PROC2; ( to
i c a e
/
a s ht cens
r ap 2 3 li 4 5 6 7 8
mur P Procedure created.
Fla SQL>
c. Execute the procedure to test that it works successfully.
SQL> set serveroutput on
SQL> exec U1.PROC2('Code')
Code is: 1
SQL>

Chapter 4 - Page 44
d. The developer U1 grants the EXECUTE privilege to the KATE user.
SQL> grant execute on U1.PROC2 to KATE;
Grant succeeded.
SQL>
3. KATE wants to test the procedure.
a. KATE has no privilege on the U2.T1 table. KATE connects and executes the
procedure.
SQL> CONNECT kate
Connected.
a ble
SQL> set serveroutput on
f e r
ans
n - t r
no
BEGIN U1.PROC2('Code'); END;
s a
* h
) eฺ a
ERROR at line 1:
o m
ORA-06598: insufficient INHERIT PRIVILEGES a uid
ilฺc Gprivilege
ORA-06512: at "U1.PROC2", linegm 1 e n t
t i c a@ Stud
a s h this
SQL>
f p r ap use
b. KATE grants a (
the INHERIT to PRIVILEGES on user KATE to procedure owner U1 thus
i c
htU1 tocinherit e
ns her privileges during the execution of the procedure
a s
allowing
pSQL> grant e
li INHERIT PRIVILEGES ON USER kate TO U1;
r a
mur P
SQL>
c. KATE re-executes the procedure.
Code is: 1
SQL>

Chapter 4 - Page 45
4. Display the users being granted the INHERIT PRIVILEGES privilege. There is a new
object type, USER, and the table name is the username controlling who can access his
privileges when he runs an invoker’s rights procedure.
Connected.
SQL> COL privilege FORMAT A20

SQL> COL type FORMAT A6
SQL> COL table_name FORMAT A10
SQL> COL grantee FORMAT A8
SQL> select PRIVILEGE, TYPE, TABLE_NAME, GRANTEE
from DBA_TAB_PRIVS where grantee='U1' ORDER BY 4,1;
a ble
f e r
PRIVILEGE TYPE TABLE_NAME GRANTEE
ans
-------------------- ------ ---------- --------
n - t r
INHERIT PRIVILEGES USER KATE
a no U1
SELECT TABLE T1
h a s U1
m ) eฺ
o
SQL>
a ilฺc Guid
5. Beware that newly created users are grantedgthemINHERIT e n t PRIVILEGES privilege
t i c ud to PUBLIC. The KATE user had
a@ Sistgranted
because the INHERIT PRIVILEGES privilege
her INHERIT PRIVILEGES privilege
a s h revoked
t h is at the beginning of the practice.
a. Create a new user. ap e
f p r
SQL> CREATE( USER newuseru s
i c a e to IDENTIFIED BY newuser;
a s ht cens
r a li
pUser created.
u r P SQL>
m
Fla b. Check the privileges granted to NEWUSER.
SQL> select PRIVILEGE, TYPE, TABLE_NAME, GRANTEE
from DBA_TAB_PRIVS
where grantor='NEWUSER';
2 3 4
PRIVILEGE TYPE TABLE_NAME GRANTEE

-------------------- ------ ---------- --------
INHERIT PRIVILEGES USER NEWUSER PUBLIC
SQL> EXIT
$

Chapter 4 - Page 46
Practice 4-7: BEQUEATH Current_user Views by Using INHERIT
PRIVILEGES (Optional)
Overview
In this practice, you examine the different types of BEQUEATH views: the CURRENT_USER and
DEFINER views.
Assumption
The bequeath_setup.sql script is successfully completed.
Tasks
1. Make sure you are at the ~/labs/PRIV directory and your environment points to the orcl
instance. Connect under the SYSTEM user.
a ble
$ cd ~/labs/PRIV f e r
ans
$ . oraenv
n - t r
a no
The Oracle base for
ORACLE_HOME=/u01/app/oracle/product/12.1.0/dbhome_1 is h a s
/u01/app/oracle m ) eฺ
o
$
a ilฺc Guid
2. Execute the bequeath_setup.sql script. The g n t users and grants
mscriptecreates
appropriate privileges to the developer c d user KATE.
aU1@andSthetuend
t i
$ sqlplus SYSTEM ash h is
ap use t
f p r
( ******
c a
Enter password:
i e to
Lasts t ens login time: Mon Jun 17 2013 09:51:24 +00:00
hSuccessful
a p a lic
r
u r P Connected to:
m
Fla Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 -
64bit Production
SQL>
SQL> @bequeath_setup.sql
Connected.
REVOKE select any table from OE
*
ERROR at line 1:
ORA-01952: system privileges not granted to 'OE'
User dropped.
User dropped.

Chapter 4 - Page 47
User dropped.
User created.
Grant succeeded.
Revoke succeeded.
User created.
Grant succeeded.
a ble
f e r
SQL>
a n s
- t r
current user connected. n on the
3. The developer U1 creates a BEQUEATH CURRENT_USER view. The view displays
s a
a. The U1 user connects and creates the V_WHOAMI view. a
) h eฺ
SQL> CONNECT u1 m
co uid
i l ฺ
ma ent G
Connected. g
SQL> CREATE OR REPLACE VIEW
t i c S tud
[email protected]_whoami
a s h this
BEQUEATH CURRENT_USER
AS SELECTra p se
ORA_INVOKING_USER "WHOAMI" FROM DUAL;
3a ( f p o u
ic nse t
2
t
View hcreated.
s lice
p a
P ra SQL>
u r
m
Fla b. The developer checks that the V_WHOAMI view works successfully.
SQL> select * from U1.V_WHOAMI;
WHOAMI
---------------------------------------------------------
U1
SQL>

Chapter 4 - Page 48
4. The same developer U1 creates a BEQUEATH DEFINER view. The view displays the
current user connected.
a. The user U1 connects and creates the view V_WHOAMI_DEF.
SQL> CREATE OR REPLACE VIEW u1.v_whoami_def
BEQUEATH DEFINER
AS SELECT ORA_INVOKING_USER "WHOAMI" FROM DUAL;

2 3
View created.
SQL>
b. The developer checks that the V_WHOAMI_DEF view works successfully.
SQL> select * from U1.V_WHOAMI_DEF;
a ble
f e r
WHOAMI ans
n - t r
---------------------------------------------------------
o
U1
s an
) ha
SQL>
c o m ideฺ
ailฺ ontboth
5. The developer U1 grants the SELECT privilege to KATE
m G uviews.
SQL> grant SELECT on U1.V_WHOAMI @ n
g todeKATE;
h t ica is Stu
Grant succeeded. pas th
a
pr to us e
( f
t ica SELECT
SQL> grant
h n s e on U1.V_WHOAMI_DEF to KATE;
p a s lice
P ra Grant succeeded.
u r
m
Fla SQL>
6. KATE connects and selects data from the BEQUEATH DEFINER view.
SQL> CONNECT kate
Connected.
SQL> select * from U1.V_WHOAMI_DEF;
WHOAMI
--------------------------------------------------------
KATE
SQL>

Chapter 4 - Page 49
7. KATE selects data from the BEQUEATH CURRENT_USER view.
SQL> SELECT * FROM U1.V_WHOAMI;
select * from U1.V_WHOAMI
*
ERROR at line 1:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
SQL>
8. KATE grants the INHERIT PRIVILEGES ON USER KATE to the view owner U1, allowing
U1 to use her privileges during the view execution.
SQL> grant INHERIT PRIVILEGES ON USER kate TO U1;
a ble
Grant succeeded. f e r
ans
n - t r
no
SQL>
9. a
KATE attempts the statement on the BEQUEATH CURRENT_USER view.
s
SQL> select * from U1.V_WHOAMI; h a
) eฺ
o m
a ilฺc Guid
WHOAMI
g m ent
t i c a@ Stud
----------------------------------------------------------
KATE
a s h this
SQL> EXIT f p r ap use
a ( to
$ i c
ht cens e
a s li
rap
mur P
Fla

Chapter 4 - Page 50
Practice 4-8: Managing Local and Common Privileges and Roles in
CDB and PDBs
Overview
In this practice, you will grant local and common privileges, create and grant local and common
roles in dbsec and in PDBs.
Tasks
1. Create the common C##U1 user in the root container and the local LOCAL_EMPLOYEES
users in PDB1 and PDB2.
$ . oraenv
a ble
The Oracle base for
f e r
ans
/u01/app/oracle
n - t r
a no
h a s
Connected to:
m ) e12.1.0.2.0
Oracle Database 12c Enterprise Edition oRelease ฺ
c i d -
64bit Production
m ailฺ t Gu
g denAnalytics and Real
With the Partitioning, OLAP, Advanced
@
h t ica is Stu
SQL> DROP USER a p as CASCADE;
e th
pr to us
C##U1
( f
t ica nse
User hdropped.
p a s lice
ra
ur P
SQL> CREATE USER C##U1 IDENTIFIED BY oracle_4U;
m
Fla User created.
SQL> GRANT CREATE SESSION TO C##U1 CONTAINER=ALL;
Grant succeeded.
Session altered.
SQL> DROP USER LOCAL_EMPLOYEE CASCADE;
User dropped.

Chapter 4 - Page 51
SQL> CREATE USER LOCAL_EMPLOYEE IDENTIFIED BY pass_pdb1;
User created.
SQL> GRANT CREATE SESSION TO LOCAL_EMPLOYEE;

Grant succeeded.
Session altered.
a ble
SQL> DROP USER LOCAL_EMPLOYEE CASCADE;
f e r
ans
User dropped.
n - t r
a no
s
SQL> CREATE USER LOCAL_EMPLOYEE IDENTIFIED BY apass_pdb2;
h
m ) eฺ
o
User created.
a ilฺc Guid
g m ent
SQL> GRANT CREATE SESSION aTO
t i c S tud
@LOCAL_EMPLOYEE;
a s h this
Grant succeeded.
f p r ap use
SQL> tic
a ( se to
p a sh licen
P r a
u r2.List all predefined roles in the CDB root container.
m
Fla SQL> COL role FORMAT A30
SQL> SELECT role, common, con_id
FROM cdb_roles
ORDER BY role, con_id;
2 3
ROLE COM CON_ID
------------------------------ --- ----------
ADM_PARALLEL_EXECUTE_TASK YES 1
APEX_ADMINISTRATOR_ROLE YES 1
APEX_GRANTS_FOR_NEW_USERS_ROLE YES 1

Chapter 4 - Page 52
AQ_ADMINISTRATOR_ROLE YES 1
AQ_ADMINISTRATOR_ROLE YES 3
…
CAPTURE_ADMIN YES 4
CDB_DBA YES 1
CDB_DBA YES 3
CDB_DBA YES 4
CONNECT YES 1
…
DBA YES 1
a ble
DBA YES 3
f e r
DBA YES 4
ans
…
n - t r
o
XS_RESOURCE
s an YES 1
XS_RESOURCE
) ha YES 3
XS_RESOURCE
c o m ideฺ YES 4
XS_SESSION_ADMIN
m ailฺ t Gu YES 1
XS_SESSION_ADMIN
@ g den YES 3
XS_SESSION_ADMIN
h t ica is Stu YES 4
p a s th
253 rows selected. a
pr to us e
( f
h t ica con_id,
SQL> select
n se name from v$pdbs;
s e
rapa lic
ur P
CON_ID NAME
m ---------- ------------------------------
Fla 2 PDB$SEED
3 PDB1
4 PDB2
The common role is replicated in each container. The container ID 1 is the root. It is not
listed in the V$PDBS view. The container ID 2 is the seed. The container ID 3 is the pdb1.
The container ID 4 is the pdb2.

Chapter 4 - Page 53
3. View all common roles of the root.
SQL> SELECT role, common
FROM cdb_roles
WHERE CON_ID = 1
ORDER BY role;
2 3 4
ROLE COM
------------------------------ ---
ADM_PARALLEL_EXECUTE_TASK YES
APEX_ADMINISTRATOR_ROLE YES
APEX_GRANTS_FOR_NEW_USERS_ROLE YES
AQ_ADMINISTRATOR_ROLE YES
a ble
AQ_USER_ROLE YES
f e r
AUDIT_ADMIN YES
ans
AUDIT_VIEWER YES
n - t r
n o
…
s a
CDB_DBA YES
) ha
CONNECT YES
c o m ideฺ
…
m ailฺ t Gu
DBA
@ g den
YES
…
t tu
ica is SYES
XS_RESOURCE
a s h th YES
a p e
pr to us
XS_SESSION_ADMIN
(
a se f
h t icselected.
p a s licen
84 rows
ra
ur P
SQL>
m
Fla
Notice that all roles of the root are common: there cannot be any local roles in the root.
4. List all local roles in PDBs.
SQL> SELECT role, con_id
FROM cdb_roles
WHERE common = 'NO' ;
2
ROLE CON_ID
------------------------------------------------ ----------
HR_MGR 3
SQL>

Chapter 4 - Page 54
5. Create a common C##_ROLE in root.
SQL> CREATE ROLE c##_role CONTAINER=ALL;
Role created.
SQL>
6. Attempt to create a LOCAL_ROLE local role in root.
SQL> CREATE ROLE local_role CONTAINER=CURRENT;
CREATE ROLE local_role CONTAINER=CURRENT
*
ERROR at line 1:
ORA-65049: creation of local user or role is not allowed in
a ble
CDB$ROOT
f e r
ans
SQL> n - t r
o
an
You get an error message because no local role is authorized in root.
s
7. Create a common role in pdb2.
) ha
c o m ideฺ
ailฺ t Gu
m
g den
Connected. @ tu
SQL> CREATE ROLE c##_role_PDB2
h t ica is S container=ALL;
p a
create role c##_role_PDB2 s h
tcontainer=ALL
a
pr to us e
*
( f
t
ERROR at
h icalinens1:e
a s liceCommon DDLs only allowed in CDB$ROOT
ORA-65050:
p
P ra
r
mu SQL>
Fla You get an error message because no common role can be created from a PDB.
8. Create a local role in pdb2.
SQL> CREATE ROLE local_role_PDB2 container=CURRENT;
Role created.
SQL> select ROLE, COMMON from dba_roles order by role;
ROLE COM
------------------------------ ---
ADM_PARALLEL_EXECUTE_TASK YES
APEX_ADMINISTRATOR_ROLE YES
…
C##_ROLE YES

Chapter 4 - Page 55
CDB_DBA YES
CONNECT YES
…
DBA YES
…
LBAC_DBA YES
LOCAL_ROLE_PDB2 NO
…
PDB_DBA YES
…
XS_RESOURCE YES
XS_SESSION_ADMIN YES
a ble
f e r
86 rows selected.
ans
n - t r
SQL> n o
s a
9. Grant common or local roles as common or local.
ha
a. Grant a common role to a common user from root. m) e ฺ
c o i d
m ailฺ t Gu
Connected.
@ g den
SQL> GRANT c##_role TO c##u1;
h t ica is Stu
p a s th
Grant succeeded. a
pr to us e
( f
h t icagrantee
n se FORMAT A16
s
SQL>
pSQL>
COL
e
a COL ligranted_role
c
P r a FORMAT A18
mur SQL> SELECT grantee, granted_role, common, con_id
Fla
FROM cdb_role_privs
WHERE grantee='C##U1';
2 3
GRANTEE GRANTED_ROLE COM CON_ID
---------------- ------------------ --- ----------
C##U1 C##_ROLE NO 1
SQL>
Note that the common role is granted locally to the common user. The granted role is only
applicable in root.
SQL> connect c##u1
Connected.
SQL> select * from session_roles;
ROLE

Chapter 4 - Page 56
------------------------------
C##_ROLE
SQL> connect c##u1@PDB2

Connected.
no rows selected
SQL>
b. Now grant the common role to a common user from the root as common, to be
applicable in all containers. a ble
f e r
ans
Connected.
n - t r
o
SQL> grant c##_role to c##u1 container=all;
s an
) ha
Grant succeeded.
c o m ideฺ
m ailฺ t Gu
SQL>
@ g den
h t i ca s Stu
SQL> col grantee format
p a s A16thi
SQL> col GRANTED_ROLE
p r a uformat
s e A18
SQL> select a f
( GRANTEE,to GRANTED_ROLE, COMMON, CON_ID
i c
t cdb_role_privs
hfrom ns e
a s li c e where grantee='C##U1';
r ap 2
mur P GRANTEE GRANTED_ROLE COM CON_ID
Fla
---------------- ---------------- --- ----------
C##U1 C##_ROLE NO 1
C##U1 C##_ROLE YES 1
SQL> connect c##u1

Connected.
ROLE
------------------------------
C##_ROLE

Chapter 4 - Page 57
SQL> connect c##u1@PDB2
Connected.
ROLE
------------------------------
C##_ROLE
SQL>
10. Revoke the common role from the common user so that the role cannot be used in any
container.
a ble
f e r
Connected.
ans
SQL> revoke c##_role from c##u1 container=all;
n - t r
o
s an
ha
Revoke succeeded.
)
m ideฺ
c o
ailฺ t Gu
SQL> connect c##u1
Enter password: ****** m
g den
@
ica is Stu
Connected.
h t
s
ROLE
a p a e th
( f pr to us
------------------------------
t
C##_ROLE
h ica nse
p a s lice
ra SQL> connect c##u1@PDB2
m ur P Enter password: ******
Fla Connected.
no rows selected
SQL>
11. Grant a common role to a local user from the root.
Connected.
SQL> grant c##_role to local_employee;
grant c##_role to local_employee
*
ERROR at line 1:
ORA-01917: user or role 'LOCAL_EMPLOYEE' does not exist

Chapter 4 - Page 58
SQL>
Note that the user is unknown in root. It is a local user in pdb2.
12. Grant a common role to a local user in pdb2.
SQL> connect system@PDB2

Connected.
SQL> grant c##_role to local_employee;
Grant succeeded.
SQL> select GRANTEE, GRANTED_ROLE, COMMON, CON_ID

a ble
from cdb_role_privs where grantee='LOCAL_EMPLOYEE';
f e r
ans
2
n - t r
no
---------------- ---------------- --- ----------
s a
LOCAL_EMPLOYEE C##_ROLE NO 4 h
) eฺa
o m
SQL> a ilฺc Guid
Note that the user is granted a common role g m (common
locally e n t column = NO) applicable only
in pdb2. t i c a@ Stud
a
13. Test the connection as the locals h thipassword
user. The
s is pass_pdb2.
r a p e
SQL> connectfp
( us
local_employee@PDB2
t o
t ica nse******
Enter password:
h
a s lice
Connected.
p
P ra SQL> select * from session_roles;
u r
m
Fla ROLE
------------------------------
C##_ROLE
SQL>
14. Grant a common role to a local user from pdb2 applicable in all containers.
SQL> connect system@PDB2
Connected.
SQL> grant c##_role to local_employee container=all;
grant c##_role to local_user_pdb2 container=all
*
ERROR at line 1:
ORA-65030: one may not grant a Common Privilege to a Local User
or Role

Chapter 4 - Page 59
SQL>
Notice that a common role cannot be granted globally from a PDB.
15. Grant a local role to a local user from pdb2.
SQL> grant local_role_pdb2 to local_employee;
Grant succeeded.
SQL> select GRANTEE, GRANTED_ROLE, COMMON, CON_ID

from cdb_role_privs where grantee='LOCAL_EMPLOYEE';
2
a ble
---------------- ------------------ --- ----------
f e r
ans
LOCAL_EMPLOYEE C##_ROLE NO 4
n - t r
LOCAL_EMPLOYEE LOCAL_ROLE_PDB2 NO 4
o
s an
SQL>
) ha
16. Test the connection as the local user.
c o m ideฺ
SQL> connect local_employee@PDB2 ai
lฺ Gu
g m e n t
t i c a@ Stud
Connected.
s h this
SQL> select * fromasession_roles;
f p r ap use
ROLEe ica
( to
ht cens e
a s
pC##_ROLE li
------------------------------
r a
u r P LOCAL_ROLE_PDB2
m
Fla SQL> EXIT
$

Chapter 4 - Page 60
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 5:
o uid
a ilฺc G
Encryption Concepts
g m ent
c a @ tu5 d
Chapter
i
ht this S
a s
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
Practices for Lesson 5: Encryption Concepts

Chapter 5 - Page 1
Lesson Overview
There are no practices for this lesson.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
Practices for Lesson 5: Encryption Concepts

Chapter 5 - Page 2
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 6: Using
o
ilฺc Guid
Application-Based
a
g m ent
Encryption
t i c a@ Stud
a s h thChapter
is 6
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
Practices for Lesson 6: Using Application-Based Encryption

Chapter 6 - Page 1
Practice 6-1: Using DBMS_CRYPTO for Encryption
Overview
In this practice, you create functions to encrypt and decrypt data, and create a KEYS table.
Then, by using the functions, you encrypt and decrypt column data. You also apply an SHA-1
message digest to the column to verify integrity.
Tasks
1. Review and execute the crypto_random.sql script in the /home/oracle/labs/ENC
directory, which performs the following actions:
• Adds a credit card column to the CUSTOMERS table
• Creates the ENCRYPT function for AES encryption
• Creates the DECRYPT function for AES decryption a ble
f e r
• Creates a KEYS table to hold a 128-bit key value (KEY RAW (16))
ans
• Inserts a key value generated by DBMS_CRYTPO.RANDOM_BYTES
n - t r
• no
Shows the key value that has been generated. Yours may be different that the one
a
shown.
h a s
$ cd ~/labs/ENC m ) eฺ
o
$ . oraenv
a ilฺc Guid
g m ent
The Oracle base for
t i c a@ Stud
a s h this
ap use
/u01/app/oracle
f p r
$ rm –f @$HOME/labs/ENC/show_creditcard.sql >> /dev/null 2>&1
(
i c a e to
$ sqlplus /nolog @$HOME/labs/ENC/crypto_random.sql
a s ht cens
rapSQL*Plus:li Release 12.1.0.2.0 Production on Tue May 28 08:10:00
ur P 2013
F lam
SQL>
SQL> --- Grant Execute on DBMS_CRYPTO TO OE ---
SQL>
Connected.
SQL>
SQL> GRANT EXECUTE ON DBMS_CRYPTO TO OE;
Grant succeeded.
SQL>
SQL>

Chapter 6 - Page 2
SQL> CONNECT oe/oracle_4U
Connected.
SQL>
SQL> -- Alter the customers table to hold an
SQL> -- encrypted CREDITCARD Number
SQL>
SQL> ALTER TABLE customers DROP column credit_card_num;
ALTER TABLE customers DROP column credit_card_num
*
ERROR at line 1:
ORA-00904: "CREDIT_CARD_NUM": invalid identifier
a ble
f e r
SQL>
ans
SQL> ALTER TABLE customers ADD credit_card_num RAW(2000);
n - t r
o
s an
Table altered.
) ha
c o m ideฺ
ailฺ t Gu
SQL>
SQL> m
g and e n
@ d
ica is Stu
SQL> --- Create the encrypt_value
SQL> -- decrypt_value
s h tfunctions
SQL> a p a e th
SQL> create(for prreplace
t o usfunction encrypt_value
2
h t ica( nse
p 3s
a l i c e p_in in varchar2,
ra
ur P
4 p_key in raw
m 5 )
Fla 6 return raw is
7 l_enc_val raw (2000);
8 l_mod number := dbms_crypto.ENCRYPT_AES128
9 + dbms_crypto.CHAIN_CBC
10 + dbms_crypto.PAD_PKCS5;
11 begin
12 l_enc_val := dbms_crypto.encrypt
13 (
14 UTL_I18N.STRING_TO_RAW
15 (p_in, 'AL32UTF8'),
16 l_mod,
17 p_key
18 );
19 return l_enc_val;

Chapter 6 - Page 3
20 end;
21 /
Function created.
SQL>
SQL>
SQL> create or replace function decrypt_value
2 (
3 p_in in raw,
4 p_key in raw
5 )
a ble
6 return varchar2
f e r
7 is
ans
8 l_ret varchar2 (2000);
n - t r
o
9 l_dec_val raw (2000);
s an
10 l_mod
ha
number := dbms_crypto.ENCRYPT_AES128
)
11
m ideฺ
+ dbms_crypto.CHAIN_CBC
c o
ailฺ t Gu
12 + dbms_crypto.PAD_PKCS5;
13 begin m
g den
@
ica is Stu
14 l_dec_val := dbms_crypto.decrypt
15 (
s h t
16 a p
p_in, a e th
17 ( f pr to us
l_mod,
18
h t ica nsep_key
p a
19s lice );
ra
ur P
20 l_ret:= UTL_I18N.RAW_TO_CHAR
m 21 (l_dec_val, 'AL32UTF8');
Fla 22 return l_ret;
23 end;
24 /
Function created.
SQL>
SQL>
SQL> -- Create KEYS table
SQL> DROP TABLE KEYS;
DROP TABLE KEYS
*
ERROR at line 1:

Chapter 6 - Page 4
SQL>
SQL>
SQL> CREATE TABLE KEYS (KEY_VALUE RAW(16));
Table created.
SQL>
SQL> -- get a KEY and store it in KEYS
SQL>
SQL> INSERT INTO KEYS
a ble
2 SELECT DBMS_CRYPTO.RANDOMBYTES(16) FROM DUAL;
f e r
ans
1 row created.
n - t r
o
s an
SQL>
) ha
SQL>
c o m ideฺ
ailฺ t Gu
SQL> COMMIT;
m
g den
@
ica is Stu
Commit complete.
s h t
SQL> a p a e th
SQL> SELECT ( f p*rFROMto KEYS;
us
h t ica nse
p a s lice
KEY_VALUE
ra
ur P
--------------------------------
m AD4C95D0E9D1F31DE5106463F3C103AB
Fla
SQL>
2. As user oe, update one of the customer’s rows with a credit card number.
SQL> CONNECT oe/******
Connected.
SQL> UPDATE customers
SET credit_card_num = '123456789012345678901234'
WHERE customer_id = 101;
2 3
1 row updated.
SQL> COMMIT;
Commit complete.

Chapter 6 - Page 5
SQL>
3. Verify the update by selecting the credit card number of the row just updated. Save this
script because you will select this column several times in this practice. If the
show_creditcard.sql script already exists, replace it.
SQL> SELECT credit_card_num

FROM customers
CREDIT_CARD_NUM
----------------------------------------------------------
123456789012345678901234
a ble
f e r
SQL> save show_creditcard.sql
ans
Created file show_creditcard.sql
n - t r
o
an
SQL>
4. Encrypt the credit card number by using the function created in step
ha s
1.
SQL> DECLARE )
m ideฺ
c o
l_key RAW(16);
m ailฺ t Gu
BEGIN
@ g FROM d e n
SELECT key_value INTO
t i c a Stu KEYS;
l_key
a s h this
r ap use
UPDATE customers
f p
SET ( credit_card_num
i c a e to
s h t ens = encrypt_value(credit_card_num, l_key)
r a pa WHERE lic customer_id = 101;

m ur P COMMIT;
Fla END;
/
2 3 4 5 6 7 8 9 10 11 12 13
SQL>
5. Verify the encryption by selecting the credit card number of the row just updated. The
output is expected to be different than the sample. In some cases, the output may clear the
screen.
SQL> SELECT UTL_I18N.RAW_TO_CHAR(credit_card_num, 'AL32UTF8')
FROM customers
UTL_I18N.RAW_TO_CHAR(CREDIT_CARD_NUM,'AL32UTF8')

Chapter 6 - Page 6
--------------------------------------------------------------
?,C??V<???O)>?P?E????
6. Using the function created in step 1, select the decrypted column.
SQL>
SQL> SELECT decrypt_value(credit_card_num,

(SELECT key_value FROM KEYS))
FROM customers
DECRYPT_VALUE(CREDIT_CARD_NUM,(SELECTKEY_VALUEFROMKEYS))
---------------------------------------------------------
a ble
123456789012345678901234
f e r
ans
SQL>
n - t r
7. Update the CUSTOMERS table with the decrypted credit card number.
a no
h a s
m ) eฺ
SET credit_card_num=decrypt_value(credit_card_num,
o uid keys))
ilฺc GFROM
(SELECT key_value
a
WHERE customer_id = 101;gm
e n t
2 3 4
t i c a@ Stud
1 row updated.
a s h this
f p r ap use
a
SQL> commit; ( to
i c
ht cens e
a s li
rapCommit complete.
mur P
Fla
SQL>
8. Verify that the update worked by selecting the credit card number.
SQL> SELECT credit_card_num
FROM customers
CREDIT_CARD_NUM
---------------------------------------------------------
123456789012345678901234
SQL>

Chapter 6 - Page 7
Practice 6-2: Checksumming by Using the HASH Function
Overview
In this practice, you checksum a credit card number value by using the HASH function of
DBMS_CRYPTO package.
Tasks
1. What happens when you try to produce an SHA-1 checksum on the CREDIT_CARD_NUM
column? Why?
Because the procedures and functions in DBMS_CRYPTO are overloaded, the Oracle
instance cannot determine the correct version of the function to call. To correct this, wrap
the call in a PL/SQL function (as was done with encryption and decryption in the first step of
this practice).
a ble
SQL> SELECT DBMS_CRYPTO.HASH(credit_card_num,
f e r
DBMS_CRYPTO.HASH_SH1)
ans
n - t r
no
FROM customers
s a
h a
DBMS_CRYPTO.HASH_SH1)
) eฺ
* o m
ERROR at line 2: a ilฺc Guid
g m ent
ORA-06553: PLS-221: 'HASH_SH1' is not a procedure or is
undefined
t i c a@ Stud
a s h this
f p r ap use
SQL> a ( to
i c
ht script e
s a function called CHECKSUM that produces an SHA-1 hash of
ncreates
a s
2. The hash.sql
c e
p Reviewli and execute hash.sql.
theainput.
r
mur P SQL> @$HOME/labs/ENC/hash.sql
Fla SQL> SET ECHO OFF
SQL>
SQL> CONNECT oe
Enter password: *****
Connected.
SQL>
SQL> CREATE OR REPLACE FUNCTION checksum (
2 p_raw_input RAW)
3 RETURN RAW
4 IS
5 v_checksum RAW(20);
6 BEGIN
7 v_checksum :=
8 DBMS_CRYPTO.HASH(
9 src => p_raw_input,

Chapter 6 - Page 8
10 typ => DBMS_CRYPTO.HASH_SH1);
11
12 RETURN v_checksum;
13 END;
14 /
Function created.
SQL>
3. Use the function created in the previous step to produce a checksum for the credit card
number.
SQL> SELECT checksum (credit_card_num)
FROM customers
a ble
f e r
ans
CHECKSUM(CREDIT_CARD_NUM)
n - t r
---------------------------------------------------------
a no
196FB5FB06A63A73D0F1D31D6E985C996C3AEFE9
h a s
m ) eฺ
SQL> o
lฺc Guid
a i
4. Change the credit card number in the table. m
g e n t
t i c a@ Stud
SET
s h th=is'123456789A12345678901234'
credit_card_num
a
r ap use= 101;
WHERE customer_id
f p
2
i
3
c a ( se to
1 row tupdated.
p a sh licen
P ra SQL> COMMIT;
u r
m
Fla Commit complete.
SQL>
5. Verify that the checksum has changed by using the function created in step 2. Compare the
checksum to the value produced in step 3.
SQL> SELECT checksum (credit_card_num)
FROM customers
CHECKSUM(CREDIT_CARD_NUM)
---------------------------------------------------------
C2578E5407A57A042B24EC0CFBDF418DB62F526F
SQL>

Chapter 6 - Page 9
6. Notice that the hash function produces the same value for the same input by running it
manually.
SQL> SELECT checksum ('123456789A12345678901234')
2 FROM dual;
CHECKSUM('123456789A12345678901234')
---------------------------------------------------------
C2578E5407A57A042B24EC0CFBDF418DB62F526F
SQL>
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 6 - Page 10
Practice 6-3: Preparing for Tablespace Encryption
Overview
In this practice, you will start the Enterprise Manager machine to permit time for the Enterprise
Manager Cloud Control to start. Cloud Control is used for bulk segment movement to encrypted
tablespaces.
Tasks
1. Exit SQL*Plus and the host machine.
SQL> exit
a ble
f e r
[oracle@db1 ~]$ exit
ans
logout n - t r
Connection to db1 closed.
a no
[Host Desktop]$
h a s
2. Start the em13 machine. m ) eฺ
o
[Host Desktop]$ sudo xm create em13 a ilฺc Guid
g m ent
a@ Stud
Using config file "/etc/xen/em13".
Started domain em13 (id=12) t i c
hxm list
a s t h is
ap use ID Mem VCPUs
[Host Desktop]$ sudo
Name
( f p r State Time(s)
t o
db1sh
tica ense
Domain-0 0 1024
1 3072
2
1
r----- 311839.2
-b---- 101346.4
p a l i c
P ra em13 12 9216 1 ------ 4.8
r
mu
[Host Desktop]$
Fla

Chapter 6 - Page 11
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 6 - Page 12
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 7:
o uid
Applying
a ilฺc Transparent
G Data
m
g den
Encryption t
@ tu7
h t ica Chapter
s S
p a s
e t hi
( f pra to us
h t ica nse
p a s lice
ra
mur P
Fla
Practices for Lesson 7: Applying Transparent Data Encryption

Chapter 7 - Page 1
Practice 7-1: Configuring the Password-Based Keystore for TDE
Overview
In this practice, you configure a password-based keystore for a non-CDB and a password-
based keystore for a CDB. Then you set the master key for the non-CDB and the master key for
each PDB of the CDB.
In the sqlnet.ora file, you must set the ENCRYPTION_WALLET_LOCATION parameter to

specify the keystore location. When determining which keystore to use, Oracle Database
searches for the keystore location in the following places, in this order:
1. First, it attempts to use the keystore in the location specified by the
ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file.
2. If the ENCRYPTION_WALLET_LOCATION parameter is not set, then it attempts to use
the keystore in the location that is specified by the WALLET_LOCATION parameter.
a ble
3. If the WALLET_LOCATION parameter is also not set, then Oracle Database looks for a
f e r
keystore at the default database location, which is
ans
$ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet or
n - t r
$ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet. (DB_UNIQUE_NAME is the unique
a no
h a s
name of the database specified in the initialization parameter file.) When the keystore
) eฺ
location is not set in the sqlnet.ora file, then the V$ENCRYPTION_WALLET view
m
o
displays the default location. You can check the location and status of the keystore in the
V$ENCRYPTION_WALLET view. a ilฺc Guid
g m ent
t i c a@ Stud
Assumptions
a s h this
This practice is performed on
f p r athep db1uhost
s e using the orcl and dbsec database instances.
Enterprise Manager Cloud
a ( Controltowill be used and the em13 machine should be started as
described in Practice
h c
t ense
i 6-3.
pa s lic
r a
u rP
Task
m
Fla 1. Prepare the orcl database for encryption.
a. Create a directory for the unique Oracle password-based keystore for the database in
$ORACLE_BASE/admin/orcl/wallet if it does not exist. The directory and wallet
may have already been created as part of the Enterprise User Security database
registration process. If it exists, as shown in this example, move it out of the way.
$ . oraenv
The Oracle base for
/u01/app/oracle
$ ls -d $ORACLE_BASE/admin/orcl/wallet
/u01/app/oracle/admin/orcl/wallet
$ mv $ORACLE_BASE/admin/orcl/wallet
$ORACLE_BASE/admin/orcl/wallet.old
$ ls –d $ORACLE_BASE/admin/orcl/wallet

Chapter 7 - Page 2
ls: cannot access /u01/app/oracle/admin/orcl/wallet: No such
file or directory
$ mkdir $ORACLE_BASE/admin/orcl/wallet
b. Connect to the orcl database instance as a user who possesses the SYSKM privilege
to create the password-based keystore.
$ sqlplus / as syskm
Connected to:
64bit Production
a ble
f e r
ans
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE
n - t r
'/u01/app/oracle/admin/orcl/wallet'
a no
IDENTIFIED BY secret;
h a s
2 3
m ) eฺ
o
ilฺc Guid
keystore altered.
a
m ent
g
a@ Stud
SQL> EXIT
$ t i c
h this
a s
p insthe
c. Verify that the file is created appropriate directory.
r a e
(fp to u
$ ls -l /u01/app/oracle/admin/orcl/wallet
a
total t4ic se
a s h e n
a p-rw-r--r--l ic 1 oracle oinstall 2408 Jun 18 06:46 ewallet.p12
r
ur P
$
m d. Open the keystore.
Fla $ sqlplus / as syskm
Connected to:
64bit Production
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN

2
keystore altered.
SQL>

Chapter 7 - Page 3
e. Generate the master encryption key. The clause WITH BACKUP USING is mandatory
and creates a backup of the keystore before the master key is created and stored in
the keystore.
SQL> ADMINISTER KEY MANAGEMENT SET KEY
IDENTIFIED BY secret
WITH BACKUP
USING 'for_12c';
2 3 4
keystore altered.
SQL>
f. Verify that the keystore has been backed up before master key generation. Note that
the backup file name includes the date and time of backup.
a ble
f e r
SQL> !ls -l /u01/app/oracle/admin/orcl/wallet
ans
-rw-r--r-- 1 oracle oinstall 2408 Dec 14 07:18
n - t r
ewallet_2016121412180617_for_12c.p12
a no
-rw-r--r-- 1 oracle oinstall 4112 Dec 14 07:18 ewallet.p12
h a s
m ) eฺ
SQL> o
lฺc All uid master keys are
a
Notice that if you regenerate the master key, the fileigrows. Gprevious
g
kept for data that could have used the previous n t
mmasterekeys.
SQL> ADMINISTER KEY MANAGEMENT t i c a@ S tudKEY
SET
a s h this IDENTIFIED BY secret;
r p MANAGEMENT
aKEY s e
2 ADMINISTER
( f p t o u SET KEY
*
h t i ca nse
a
ERROR
p s at lilinec e 1:
P ra ORA-46631: keystore needs to be backed up
mur
Fla SQL> ADMINISTER KEY MANAGEMENT SET KEY
IDENTIFIED BY secret
WITH BACKUP;
2 3
keystore altered.
SQL> !ls /u01/app/oracle/admin/orcl/wallet
ewallet_2016121412180617_for_12c.p12
ewallet_2016121412204022.p12
ewallet.p12
SQL>
g. Back up the keystore that contains the current master key.
SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE

Chapter 7 - Page 4
2
keystore altered.
SQL> !ls -l /u01/app/oracle/admin/orcl/wallet

total 24
-rw-r--r--. 1 oracle oinstall 2408 Dec 14 07:18
ewallet_2016121412180617_for_12c.p12
ewallet_2016121412201448.p12
ewallet_2016121412204022.p12
a ble
-rw-r--r--. 1 oracle oinstall 6048 Dec 14 07:20 ewallet.p12 f e r
ans
Notice that both the current and the backup files have the same size.
n - t r
h. View the keystore file location from the view.
a no
SQL> SELECT WRL_PARAMETER, STATUS, WALLET_TYPE, CON_ID
h a s
FROM V$ENCRYPTION_WALLET;
m ) eฺ
o
2
a ilฺc Guid
WRL_PARAMETER
g m ent
STATUS WALLET_TYPE CON_ID
t i c a@ Stud
--------------------------------- ------ -------------- ------
a s h this
/u01/app/oracle/admin/orcl/wallet OPEN PASSWORD 0
f p r ap use
SQL> EXIT
a ( to
$ i c
ht cemultitenant
ns e
2. Prepare
p a s li
the dbsec container database for encryption.
r a
ur P
a. Create a directory for the unique Oracle password-based keystore for the CDB in
$ORACLE_BASE/admin/dbsec/wallet if it does not exist.
m
Fla $ . oraenv
The Oracle base remains unchanged with value /u01/app/oracle
$ mkdir $ORACLE_BASE/admin/dbsec/wallet
$
b. Connect to the dbsec instance as a user who has been granted the SYSKM privilege to
create the password-based keystore.
Connected to:
64bit Production

Chapter 7 - Page 5
SQL>
c. Display the default keystore location.
SQL> COLUMN wrl_parameter FORMAT A34
SQL> COLUMN status FORMAT A14
SQL> COLUMN wallet_type FORMAT A12
SQL> SELECT WRL_PARAMETER, STATUS, WALLET_TYPE

2
WRL_PARAMETER STATUS WALLET_TYPE

---------------------------------- -------------- ------------
/u01/app/oracle/admin/dbsec/wallet NOT_AVAILABLE UNKNOWN
a ble
f e r
SQL>
ans
d. Create the keystore. n - t r
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE a no
h a s
'/u01/app/oracle/admin/dbsec/wallet'
m ) eฺ
o
ilฺc Guid
IDENTIFIED BY secret_dbsec;
2 3 a
m ent
g
a@ Stud
keystore altered.
t i c
h this
a s
SQL> !ls -l /u01/app/oracle/admin/dbsec/wallet
f p r ap use
a ( 1 oracle
to oinstall 2408 Dec 14 07:34 ewallet.p12
i c
-rw-r--r--.
ht cens e
a s li WRL_PARAMETER, STATUS, WALLET_TYPE, CON_ID
r apSQL> SELECT
ur P FROM V$ENCRYPTION_WALLET;
F lam 2
---------------------------------- -------------- ------------
CON_ID
----------
/u01/app/oracle/admin/dbsec/wallet CLOSED UNKNOWN
0
SQL>
e. Open the keystore for all PDBS.
IDENTIFIED BY secret_dbsec
CONTAINER = ALL;
2 3
keystore altered.

Chapter 7 - Page 6
2

---------------------------------- -------------- ------------

CON_ID
----------
/u01/app/oracle/admin/dbsec/wallet OPEN_NO_MASTER PASSWORD
_KEY
0
SQL>
a ble
Notice that the status explains that the master key has not yet been generated in the
f e r
keystore.
ans
f. The application data is stored in the PDBs. Generate a master key for each of the
n - t r
o
an
PDBs in dbsec.
ha s
Connected. )
m ideฺ
c o
ailฺ t Gu
SQL> SELECT name FROM v$pdbs;
m
g den
@
ica is Stu
NAME
s h t
------------------------------
PDB$SEED a p a e th
PDB1 ( f pr to us
PDB2 tic
a se
a h
s licen
r a p
r P
u g.
SQL>
m Generate a master key for pdb1.
Fla 1) Grant the SYSKM privilege to the keystore manager of each PDB.
SQL> ALTER USER syskm IDENTIFIED BY oracle_4U ACCOUNT UNLOCK
CONTAINER=ALL;
User altered.
SQL> CREATE USER c##km IDENTIFIED BY oracle_4U;
User created.
SQL> GRANT syskm TO c##km CONTAINER=ALL;
Grant succeeded.

Chapter 7 - Page 7
SQL>
2) Connect to pdb1 to generate the master key.
SQL> CONNECT c##km@pdb1 AS SYSKM
Connected.
SQL>
3) Generate the master key.
WITH BACKUP
CONTAINER=CURRENT;
2 3 4 ADMINISTER KEY MANAGEMENT SET KEY
a ble
f e r
*
ans
ERROR at line 1:
n - t r
ORA-46671: master key not set in root container
a no
h a s
SQL> CONNECT / AS SYSKM
m ) eฺ
Connected. o
lฺc Guid
SQL> ADMINISTER KEY MANAGEMENT SETaiKEY
g m e n t BY secret_dbsec
a@ S tudBACKUP;
IDENTIFIED
t i c
hKEY MANAGEMENT WITH
a s t h is
2 3 ADMINISTER
a p e SET KEY
*
( f pr to us
ERROR at
h t icalinens1:e
a s licepassword-based keystore is not open
ORA-28417:
p
ra
m ur P SQL>
Fla Notice that the keystore was automatically closed.
2
---------------------------------- -------------- ------------
CON_ID
----------
/u01/app/oracle/admin/dbsec/wallet CLOSED PASSWORD
0
CONTAINER = ALL;

Chapter 7 - Page 8
2 3
keystore altered.
SQL>
4) Generate the master key in the root container.

WITH BACKUP
CONTAINER = ALL;
2 3 4
keystore altered.
a ble
f e r
ans
2 n - t r
o
WRL_PARAMETER STATUS an
WALLET_TYPE
s
ha
---------------------------------- -------------- ------------
)
CON_ID
c o m ideฺ
----------
m ailฺ t Gu
@ g den
/u01/app/oracle/admin/dbsec/wallet OPEN PASSWORD
0
h t ica is Stu
SQL>
p a s th
a
pr to us e
SQL> SELECT KEY_ID, KEYSTORE_TYPE, KEY_USE,
( f
ACTIVATING_DBNAME, ACTIVATING_PDBNAME
h t ica nse
FROM V$ENCRYPTION_KEYS;
p a2s lice
3
ra
m ur P KEY_ID
Fla ----------------------------------------------------------------
--
KEYSTORE_TYPE KEY_USE ACTIVATING_DBNAME
----------------- ---------- ------------------------------
ACTIVATING_PDBNAME
------------------------------
AS8uMARZuE/mvzLJ7ZZ71j8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SOFTWARE KEYSTORE TDE IN PDB dbsec
CDB$ROOT
AUGgBkmeY0/WvzuSCzsIuQ8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
CDB$ROOT
ATkamfAyOE8EvxdeCYrruKkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Chapter 7 - Page 9
PDB1
Afuj/VB5Gk/Ov252HczmgdQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
PDB2
SQL>
Notice that the command generated one master key for each container including the root
container.
5) Generate a master key for pdb1.
a ble
f e r
Connected.
ans
SQL> n - t r
o
s an
ha
)
WITH BACKUP
c o m ideฺ
ailฺ t Gu
CONTAINER = CURRENT;
m
2 3 4
@ g den
keystore altered.
h t ica is Stu
p a s th
SQL> SELECT KEY_ID,a
pr to us e
KEYSTORE_TYPE, KEY_USE,
( f
icaV$ENCRYPTION_KEYS;
s h t
FROM
e n se
rapa2 3 lic
mur P KEY_ID
Fla
----------------------------------------------------------------
--
KEYSTORE_TYPE KEY_USE ACTIVATING_DBNAME
----------------- ---------- ------------------------------
ACTIVATING_PDBNAME
------------------------------
AWZwoj/XQU9yv+6NKEmoHc4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
PDB1
ATkamfAyOE8EvxdeCYrruKkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
PDB1
SQL>

Chapter 7 - Page 10
Notice that the command generated another master key for the pdb1 container.
h. Generate a master key for pdb2.
Connected.

WITH BACKUP
CONTAINER = CURRENT;
2 3 4
keystore altered.
a ble
SQL> SELECT KEY_ID, KEYSTORE_TYPE, KEY_USE,
f e r
ans
FROM V$ENCRYPTION_KEYS; n - t r
o
2 3
s an
KEY_ID
) ha
c o m ideฺ
----------------------------------------------------------------
ailฺ t Gu
--
KEYSTORE_TYPE KEY_USE m
g den
ACTIVATING_DBNAME
@
ica is Stu
----------------- ---------- ------------------------------
ACTIVATING_PDBNAME
s h t
a p a
------------------------------e th
( f pr to us
AdjYW0wSi0+Qv7Tjc9E7nlcAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
h t ica nse
p a s lice
PDB2
ra
m ur P Afuj/VB5Gk/Ov252HczmgdQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Fla SOFTWARE KEYSTORE TDE IN PDB dbsec
PDB2
SQL> EXIT
$
Notice that the command generated another master key for the pdb2 container.

Chapter 7 - Page 11
Practice 7-2: Implementing Table Column Encryption
Overview
In this practice, you create a table that contains an encrypted column. You view the data in the
format that is stored on disk before and after encryption. You create an index on the encrypted
column. You demonstrate that range scans are possible. You grant access to the column for a
particular user, and you demonstrate that any user with proper privileges can view the
unencrypted data.
Tasks
1. When transparent data encryption (TDE) is applied to columns in the database, what does
the application developer do to be sure that the application can handle the encrypted
columns?
a. Increase the size of the fields and the variables holding the values from the encrypted
a ble
columns.
f e r
b. Add error handling for column overruns. ans
c. Add error handling for missing keys. n - t r
d. Nothing a no
Answer: d. Nothing h a s
m ) eฺ
2. o
Create a table in the OE schema that holds sensitive customer payment information. Use
ilฺc Guid
the create_tables.sql script in the /home/oracle/labs/ENC directory to create and
a
g m ent
populate a table named OE.CUST_PAYMENT_INFO.
$ cd ~/labs/ENC
t i c a@ Stud
$ . oraenv a s h this
p r
ORACLE_SID = [dbsec]
f ap u? sorcle
The Oracle a (base remains
to unchanged with value /u01/app/oracle
i c
ht c/nolog e
ns @create_tables.sql
s
$ sqlplus
a e
li oe/oracle_4U@localhost:1521/orcl
rapSQL> connect
ur P Connected.
F lam
SQL> drop table cust_payment_info;
drop table cust_payment_info
*
ERROR at line 1:
SQL> create table cust_payment_info

2 (first_name varchar2(11),
3 last_name varchar2(10),
4 order_number number(5),
5 credit_card_number varchar2(20),
6 active_card varchar2(3));
Table created.

Chapter 7 - Page 12
SQL>
SQL> insert into cust_payment_info values
2 ('Jon', 'Oldfield', 10001, 5105105105105100,'YES');
1 row created.

2 ('Chris', 'White', 10002, 6011111111111117,'YES');
1 row created.
a ble
f e r
2 ('Alan', 'Squire', 10003, 378282246310005,'YES');
ans
n - t r
1 row created.
a no
h a s
SQL> insert into cust_payment_info values )
c o m ideฺ
ailฺ t Gu
2 ('Mike', 'Anderson', 10004, 6011000000000004,'YES');
m
g den
@
ica is Stu
1 row created.
s h t
SQL> insert into a p a e th
cust_payment_info values
( f p r u s
2 ('Annie',
i c a e to
'Schmidt', 10005, 4111111111111111,'YES');
a s htcreated.
c e ns
rap
1 row li
m ur P SQL> insert into cust_payment_info values
Fla 2 ('Elliott', 'Meyer', 10006, 4222222222222,'YES');
1 row created.

2 ('Celine', 'Smith', 10007, 343434343434343,'YES');
1 row created.

2 ('Steve', 'Haslam', 10008, 6011000990139424,'YES');
1 row created.

Chapter 7 - Page 13
2 ('Albert', 'Einstein', 10009, 5111111111111118,'YES');
1 row created.
SQL>
SQL> create index cust_payment_info_idx on
2 cust_payment_info (credit_card_number);
Index created.
SQL>
a ble
3. Select the data from the OE.CUST_PAYMENT_INFO table.
f e r
SQL> COLUMN first_name FORMAT A8 HEAD 'First'
ans
SQL> COLUMN order_number FORMAT 999999 hEAD "Order#" n - t r
o
SQL> SELECT *
s an
FROM oe.cust_payment_info
) ha
ORDER BY order_number;
c o m ideฺ
2 3
m ailฺ t Gu
@ g den
First LAST_NAME
i
Order#
t S tu
ca CREDIT_CARD_NUMBER ACT
-------- ---------- s
a h i s
-------h--------------------
t ---
Jon Oldfield p
ra u10001 e
s 5105105105105100 YES
( f p o
t 10002 6011111111111117
Chris
caWhite
Alan hti Squiren s e YES
a s c e 10003 378282246310005 YES
r apMike liAnderson 10004 6011000000000004 YES
mur P Annie Schmidt 10005 4111111111111111 YES
Fla
Elliott Meyer 10006 4222222222222 YES
Celine Smith 10007 343434343434343 YES
Steve Haslam 10008 6011000990139424 YES
Albert Einstein 10009 5111111111111118 YES
9 rows selected.
SQL>
4. Dump the data blocks to see the data as it is stored in the file. Do this as the SYS user.
a. Find the database address of the OE.CUST_PAYMENT_INFO table. The
$HOME/labs/ENC/dump_blocks.sql script executes the following:
SELECT file_id FROM dba_data_files
WHERE RELATIVE_FNO =
(SELECT distinct dbms_rowid.ROWID_RELATIVE_FNO(rowid) FILE#
FROM oe.cust_payment_info);

Chapter 7 - Page 14
SELECT distinct dbms_rowid.rowid_block_number(rowid) BLOCK#
FROM oe.cust_payment_info;
Execute the script and determine file# and block# for your table (these numbers vary).
SQL> @dump_blocks.sql
SQL> Set ECHO ON

SQL> connect sys/oracle_4U@localhost:1521/orcl.example.com as
sysdba
Connected.
SQL>
SQL> SELECT file_id FROM dba_data_files
2 WHERE RELATIVE_FNO =
a ble
3 (SELECT distinct dbms_rowid.ROWID_RELATIVE_FNO(rowid)
f e r
FILE#
ans
4 FROM oe.cust_payment_info);
n - t r
a no
FILE_ID
h a s
----------
m ) eฺ
o
ilฺc Guid
6
a
m ent
g
SQL>
t i c a@ Stud
a s h this
SQL> SELECT distinct dbms_rowid.rowid_block_number(rowid) BLOCK#
2 FROM
f p r ap use
oe.cust_payment_info;
a ( to
i c
ht cens
BLOCK# e
a s
----------
li
r ap 106756
m ur P SQL>
Fla b. Set the TRACEFILE_IDENTIFIER initialization parameter so that the trace file can be
found more easily by executing the following command:
ALTER SESSION SET TRACEFILE_IDENTIFIER=dp_block;
SQL> ALTER SESSION SET TRACEFILE_IDENTIFIER=dp_block;
Session altered.
SQL>
c. Dump the data block to a trace file. Substituting the file# and block# that you
recorded with the previous command, execute the following command:
ALTER SYSTEM DUMP DATAFILE <file#> BLOCK <block#>;
SQL> ALTER SYSTEM DUMP DATAFILE 6 BLOCK 106756;
System altered.

Chapter 7 - Page 15
SQL>
d. Find the trace file. In this listing, the block dump is in the
orcl_ora_<pid>_DP_BLOCK.trc file.
SQL> EXIT
$ find $ORACLE_BASE -name \*DP_BLOCK\*
/u01/app/oracle/diag/rdbms/orcl/orcl/trace/orcl_ora_14362_DP_BLO
CK.trc
CK.trm
$
e. View the dump file. The less utility enables you to scroll up and down the file to find
a ble
data of interest. Note that the credit card numbers are clearly visible. f e r
ans
$ less
n - t r
o
CK.trc
s an
) ha
/* Rows deleted */
c o m ideฺ
…
a ilฺ Gu
7FFB07A0EC80 2C31C102 41060501g7265626C m e n t69450874
[..1,...Albert.Ei]
t i c a@ Stud
7FFB07A0EC90 6574736EhC3046E69 is 100A0102 31313135
a s t h
[nstein......5111]
f p r ap u31313131
s e
7FFB07A0ECA0
a ( 31313131
t o 38313131 53455903
tic en0505012C
[111111111118.YES]
s h se
a p a
7FFB07A0ECB0
l i c 76657453 61480665 6D616C73
r [,...Steve.Haslam]
ur P 7FFB07A0ECC0 0102C304 30361009 30303131 30393930
F lam [......6011000990]
7FFB07A0ECD0 34393331 59033432 012C5345 65430605
[139424.YES,...Ce]
7FFB07A0ECE0 656E696C 696D5305 C3046874 0F080102
[line.Smith......]
7FFB07A0ECF0 34333433 34333433 34333433 03333433
[343434343434343.]
7FFB07A0ED00 2C534559 45070501 6F696C6C 4D057474
[YES,...Elliott.M]
7FFB07A0ED10 72657965 0102C304 32340D07 32323232
[eyer......422222]
7FFB07A0ED20 32323232 03323232 2C534559 41050501
[2222222.YES,...A]
/* Rows deleted */
…

Chapter 7 - Page 16
Block header dump: 0x01000198
…
q – to exit less
$
5. Alter the table to encrypt the credit card numbers with NO SALT.
$ sqlplus oe
SQL*Plus: Release 12.1.0.1.0 Production on Wed Aug 7 03:06:00

2013

a ble
f e r
ans
Connected.
n - t r
SQL> desc cust_payment_info
a no
Name Null? Type
h a s
----------------------- -------- m ) eฺ
------------------------
o
FIRST_NAME
a ilฺc Guid
VARCHAR2(11)
LAST_NAME g e t
m VARCHAR2(10)
n
ORDER_NUMBER
c d
a@ StuNUMBER(5)
t i
h this VARCHAR2(20)
CREDIT_CARD_NUMBER
a s
ACTIVE_CARD
f p r ap use VARCHAR2(3)
a ( to
i c
t eTABLE
hMODIFY
SQL> ALTER e
ns cust_payment_info
a s li c
rap (CREDIT_CARD_NUMBER encrypt no salt);
ur P
2
m
Fla
Table altered.
SQL>
6. Dump the data block and find the trace file. Change TRACEFILE_IDENTIFIER to DUMP2.
Use the $HOME/labs/ENC/dump_blocks.sql script to find the data block address.
SQL> @$HOME/labs/ENC/dump_blocks.sql
Connected.
SQL>
FILE#

Chapter 7 - Page 17
FILE_ID
----------
2
SQL>
2 FROM oe.cust_payment_info;
BLOCK#
----------
41389
a ble
f e r
sysdba
ans
Connected.
n - t r
o
an
SQL>
ha s
2 WHERE RELATIVE_FNO = )
m ideฺ
c o
ailฺ t Gu
FILE#
m
g den
4 FROM
@
oe.cust_payment_info);
h t ica is Stu
FILE_ID
p a s th
---------- fpr a us e
( t o
h t ica6 nse
p a s lice
ra SQL>
ur P SQL> SELECT distinct dbms_rowid.rowid_block_number(rowid) BLOCK#
F lam 2 FROM oe.cust_payment_info;
BLOCK#
----------
106756
SQL>
7. Set the TRACEFILE_IDENTIFIER initialization parameter so that the trace file can be
found more easily.
a. Use ALTER SESSION SET TRACEFILE_IDENTIFIER=DUMP2;
SQL> ALTER SESSION SET TRACEFILE_IDENTIFIER=DUMP2;
Session altered.

Chapter 7 - Page 18
SQL>
b. As the SYS user, dump the data block to a trace file. Substituting the file# and
block# that you recorded with the previous command, execute the following
command:
ALTER SYSTEM DUMP DATAFILE <file#> BLOCK <block#>;
System altered.
SQL> EXIT
$
c. Find the trace file.
a ble
$ find $ORACLE_BASE -name \*DUMP2\*
f e r
/u01/app/oracle/diag/rdbms/orcl/orcl/trace/orcl_ora_15151_DUMP2.
ans
trc
n - t r
a no
trm
h a s
$
m ) eฺ
d. View the trace file. Note that the unencrypted data o uid
lฺcremains.
a i G
$ less
g m ent
trc t i a@ Stud
c
a s h this
…
f p r ap use
a ( 0301002Cto
h t i c
7AA470 39141603
n s e 053202C1 6E780700 [...9,.....2...xn]
p a s 05160302
7AA480
l i c e 0605012C 65626C41 45087472 [....,...Albert.E]
P ra 7AA490 74736E69 046E6965 0A0102C3 3031330F [instein...... 511]
u r 7AA4A0 33343536 31343530 39383332 53455903 [1111111111118.YES]
m
Fla 7AA4B0
7AA4C0
0505012C
0102C304
76657453
34330F09
61480665
35373930
6D616C73
33303039
[,...Steve.Haslam]
[......60110009901]
7AA4D0 35383637 45590338 05012C53 6C654306 [39424.YES,...Cel]
7AA4E0 05656E69 74696D53 02C30468 340D0801 [ine.Smith......34]
7AA4F0 38363137 33353839 36333033 53455903 [3434343434343.YES]
7AA500 0705012C 696C6C45 0574746F 6579654D [,...Elliott.Meye]
7AA510 02C30472 330F0701 36333437 39393536 [r...... 4222222]
7AA520 38313137 59033032 012C5345 6E410505 [222222.YES,...An]
7AA530 0765696E 6D686353 04746469 060102C3 [nie.Schmidt.....]
7AA540 35353410 38383936 32383037 30393633 [.411111111111111]
7AA550 45590332 05012C53 6B694D04 6E410865 [1.YES,...Mike.An]
7AA560 73726564 C3046E6F 10050102 39323934 [derson...... 6011]
7AA570 35393838 35333637 30303437 53455903 [000000000004.YES]
7AA580 0405012C 6E616C41 75715306 04657269 [,...Alan.Squire.]
7AA590 040102C3 39353510 38363935 37333439 [.....3782822463]

Chapter 7 - Page 19
7AA5A0 32393735 45590330 05012C53 72684305 [10005.YES,...Chr]
7AA5B0 57057369 65746968 0102C304 31351003 [is.White......60]
7AA5C0 35333232 36343038 35323830 59033036 [11111111111117.Y]
7AA5D0 012C5345 6F4A0305 6C4F086E 65696664 [ES,...Jon.Oldfie]
7AA5E0 C304646C 10020102 36343435 37393539 [ld...... 51051051]
7AA5F0 31383830 35383932 53455903 50870601 [05105100.YES...P]

…
q /* to exit less */
$
8. Move the OE.CUST_PAYMENT_INFO table. This causes the valid data to be written to new
blocks. It also makes the index unusable, so you must rebuild the index.
$ sqlplus oe
a ble
f e r
Connected to:
ans
n - t r
64bit Production
a no
a
h s
m ) eฺ
o
ilฺc Guid
SQL> alter table oe.cust_payment_info move;
a
m ent
g
Table altered.
t i c a@ Stud
a s h table_name,
t h is
SQL> select index_name,
a p e status
from
( f pr to us
user_indexes
h t ica table_name
where
n s e ='CUST_PAYMENT_INFO';
2 as 3 c e
p
a INDEX_NAMEl i
r
ur P
TABLE_NAME STATUS
---------------------- ----------------------- --------
m
Fla CUST_PAYMENT_INFO_IDX CUST_PAYMENT_INFO UNUSABLE
SQL> ALTER INDEX CUST_PAYMENT_INFO_IDX REBUILD;
Index altered.
SQL> select index_name, table_name, status

from user_indexes
where table_name = 'CUST_PAYMENT_INFO';
2 3
INDEX_NAME TABLE_NAME STATUS
--------------------- -------------------------- --------
CUST_PAYMENT_INFO_IDX CUST_PAYMENT_INFO VALID
SQL>

Chapter 7 - Page 20
9. Find the new block location. Dump the block and view it. Are the credit card numbers
visible?
SQL> @$HOME/labs/ENC/dump_blocks.sql
sysdba
Connected.
SQL>
FILE#
a ble
FILE_ID
f e r
ans
----------
n - t r
no
6
s a
SQL> h a
) eฺ
o m
uid
oe.cust_payment_info; ailฺ
c
2 FROM
m ent G
g
BLOCK#
t i c a@ Stud
---------- a s h this
106771
f p r ap use
a ( to
i c
t eSESSION
hALTER e
ns SET TRACEFILE_IDENTIFIER=DUMP3;
SQL>
a s li c
rap
ur P Session altered.
F lam
System altered.
SQL> EXIT
$
$ less /u01/app/oracle/diag/rdbms/orcl/orcl/trace/*_DUMP3.trc
…
7F22A1979B60 00000000 00000000 002C0000 6C410605
[..........,...Al]
7F22A1979B70 74726562 6E694508 69657473 02C3046E
[bert.Einstein...]
7F22A1979B80 D2340A01 7C4E41DD A2201C77 A3686758
[..4..AN|w. .Xgh.]

Chapter 7 - Page 21
7F22A1979B90 59C446BE BD32D4AF 4A70A2D0 7D3E2854
[.F.Y..2...pJT(>}]
7F22A1979BA0 3B03F32E 84C8EA22 3CDE2BD7 D867BCC0
[...;"....+.<..g.]
7F22A1979BB0 BF1DBF54 03EA3B90 2C534559 53050500
[T....;..YES,...S]
7F22A1979BC0 65766574 73614806 046D616C 090102C3

[teve.Haslam.....]
7F22A1979BD0 1B08CD34 6AC8446C B1A563A2 5823C635
[4...lD.j.c..5.#X]
…
q /* to exit less */
$
a ble
10. Create the LSMITH, LDORAN, and JKING users by using the
f e r
/home/oracle/labs/ENC/create_users.sql script. Grant each of them the CREATE
ans
SESSION privilege and grant DBA to LSMITH. Only SYS and SYSTEM have the privileges
n - t r
required to grant the DBA role.
a no
$ cd /home/oracle/labs/ENC
h a s
$ sqlplus /nolog @$HOME/labs/ENC/create_users.sql
m ) eฺ
l o
ฺc Guid
a i
g m enton Thu May 30 01:39:57
2013
t i c a@ Stud
a s h tOracle.
h is
Copyright (c) 1982,
a p 2013,
e All rights reserved.
( f pr to us
t ica nssystem/oracle_4U@localhost:1521/orcl
SQL> connect
h e
a s
Connected.
lic e
rapSQL>
m ur P SQL> grant create session to JKING identified by oracle_4U;
Fla
Grant succeeded.
SQL> grant create session, DBA to LSMITH identified by

oracle_4U;
Grant succeeded.
SQL> grant create session to LDORAN identified by oracle_4U;
Grant succeeded.
SQL>

Chapter 7 - Page 22
11. Grant privileges to the users on the OE.CUST_PAYMENT_INFO table. Grant the SELECT
privilege to LDORAN and JKING. Grant SELECT and UPDATE privileges to LSMITH. Use the
privs.sql script.
SQL> @$HOME/labs/ENC/privs
SQL> CONNECT OE/oracle_4U@localhost:1521/orcl
Connected.
SQL>
SQL> grant select on oe.CUST_PAYMENT_INFO to LDORAN;
Grant succeeded.
SQL> grant select, update on oe.CUST_PAYMENT_INFO to LSMITH;

a ble
f e r
Grant succeeded.
ans
n - t r
SQL> grant select on oe.CUST_PAYMENT_INFO to JKING;
a no
h a s
Grant succeeded.
m ) eฺ
o
a ilฺc Guid
SQL>
g m ent
12. Is an index range scan possible on an a
t i c @ overtan
index
S udencrypted column? As the LSMITH
user, update a record based on the
update statement. Use the p a sh script.
scan.sql
credit
t h
card
i s number. View the explain plan for the
r a s e
The lab script uses
a (fp the WHERE
t o u clause, where
h
scansof
ic indexnissperformed.
tthe e
CREDIT_CARD_NUMBER='6011111111111117' to select the row to update. A range
p
in a
both the l i c
column
e and the index; the literal value is encrypted
The credit card number is stored as an encrypted value
before it is compared.
r a
u r P The value is found in the index by using a range scan. The range scan is possible only
m when an equality predicate is used.
Fla SQL> @$HOME/labs/ENC/scan.sql
SQL> SET ECHO ON
SQL> conn LSMITH/oracle_4U@localhost:1521/orcl
Connected.
SQL> update oe.CUST_PAYMENT_INFO set ACTIVE_CARD='NO'
2 where CREDIT_CARD_NUMBER='6011111111111117';
1 row updated.
SQL>
SQL> PAUSE 'HIT Return to show execution plan'
'HIT Return to show execution plan'
SQL> Set pagesize 100

Chapter 7 - Page 23
SQL> Set linesize 70
SQL> select * from table (dbms_xplan.display_cursor);
PLAN_TABLE_OUTPUT
----------------------------------------------------------------
-
SQL_ID 19g90uxc66plt, child number 0
-------------------------------------
update oe.CUST_PAYMENT_INFO set ACTIVE_CARD='NO' where
CREDIT_CARD_NUMBER='6011111111111117'
Plan hash value: 2780468320

----------------------------------------------------------------
a ble
f e r
-
ans
| Id | Operation | Name | Rows | Bytes | Co
n - t r
st (%CPU)| Time | o
s an
----------------------------------------------------------------
-
) ha
| 0 | UPDATE STATEMENT |
c o m ideฺ
| | |
2 (100)| |
m ailฺ t Gu
| 1 | UPDATE
@ g den
| CUST_PAYMENT_INFO | | |
| |
h t ica is Stu
|* 2 | a s th
INDEX RANGE SCAN| CUST_PAYMENT_INFO_IDX | 1 |
p 49
| a
pr to us e
( f
ica nse
1 (0)| 00:00:01 |
h t
s licInformation
e
a p a
Predicate (identified by operation id):
r
mur P ---------------------------------------------------
Fla 2 - access("CREDIT_CARD_NUMBER"='6011111111111117')
Note
-----
- dynamic statistics used: dynamic sampling (level=2)
24 rows selected.
SQL> EXIT;
$
13. Transparent data encryption is not visible to the end user. No changes are required to the
application or SQL syntax. Any user that has been granted privileges to access the table or
column can view the data in its unencrypted form. As the LDORAN user, select the

Chapter 7 - Page 24
LAST_NAME and CREDIT_CARD_NUMBER columns from the OE.CUST_PAYMENT_INFO
table.
$ sqlplus ldoran@orcl
Enter password : ******
Connected to:

64bit Production
SQL> select last_name, credit_card_number

from oe.cust_payment_info;
2
a ble
LAST_NAME CREDIT_CARD_NUMBER f e r
ans
---------- --------------------
n - t r
Oldfield 5105105105105100 o
White 6011111111111117
s an
Squire 378282246310005
) ha
Anderson 6011000000000004
c o m ideฺ
Schmidt 4111111111111111
m ailฺ t Gu
Meyer 4222222222222
@ g den
Smith 343434343434343
h t ica is Stu
Haslam a s
6011000990139424
p th
a
pr to us e
Einstein
f
5111111111111118
(
h t ca nse
iselected.
p a s lice
9 rows
ra
ur P SQL>
F lam 14. What should you do when the keystore is not available? Close the keystore.
SQL> CONNECT / as syskm
Connected.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE

2
keystore altered.
SQL>
15. Connect as the LSMITH user with the password oracle_4U. Attempt to select all columns
from the OE.CUST_PAYMENT_INFO table. Then, attempt to select only the LAST_NAME
column.
SQL> connect lsmith@orcl

Chapter 7 - Page 25
Connected.
SQL> select * from oe.cust_payment_info;
select * from oe.cust_payment_info
*
ERROR at line 1:
ORA-28365: wallet is not open
SQL> select last_name from oe.cust_payment_info;
LAST_NAME
----------
Oldfield
a ble
White
f e r
Squire
ans
Anderson
n - t r
o
Schmidt
s an
Meyer
) ha
Smith
c o m ideฺ
ailฺ t Gu
Haslam
Einstein m
g den
@
h t ica is Stu
9 rows selected.
p a s th
a
pr to us e
SQL> ( f
16. As the userh t
whoicahas been
n segranted the SYSKM privilege, open the keystore.
s
a connect
pSQL> e
lic / as syskm
r a
mur P Connected.
Fla
2
keystore altered.
SQL>
17. Connect again as the LSMITH user with the password oracle_4U. Attempt to select all the
columns from the OE.CUST_PAYMENT_INFO table.
SQL> connect lsmith@orcl
Connected.
SQL> select * from oe.cust_payment_info;
FIRST_NAME LAST_NAME ORDER_NUMBER CREDIT_CARD_NUMBER ACT

----------- ---------- ------------ -------------------- ---

Chapter 7 - Page 26
Jon Oldfield 10001 5105105105105100 YES
Chris White 10002 6011111111111117 NO
Alan Squire 10003 378282246310005 YES
Mike Anderson 10004 6011000000000004 YES
Annie Schmidt 10005 4111111111111111 YES
Elliott Meyer 10006 4222222222222 YES

Celine Smith 10007 343434343434343 YES
Steve Haslam 10008 6011000990139424 YES
Albert Einstein 10009 5111111111111118 YES
9 rows selected.
SQL>
a ble
18. Drop the OE.CUST_PAYMENT_INFO table and re-create it with SALT. Then, create an index
f e r
on the encrypted column CREDIT_CARD_NUMBER. Use the salt.sql script. What
ans
happens when the create index command is issued?
n - t r
n
Execute the salt.sql script. An index cannot be created on a column with SALT. o
s a
SQL> @$HOME/labs/ENC/salt.sql
) ha
SQL> connect oe/oracle_4U@localhost:1521/orcl
c o m ideฺ
Connected.
m ailฺ t Gu
g den
SQL> SQL> drop table cust_payment_info;
@
h t ica is Stu
Table dropped.
p a s th
a e
pr tcust_payment_info
us
SQL> create(ftable o
ca nse varchar2(11),
2 hti(first_name
p a
3
s last_name
l i c e varchar2(10),
ra
ur P
m
Fla
5 credit_card_number varchar2(20) encrypt SALT,
Table created.
SQL>
2 ('Jon', 'Oldfield', 10001, 5446959708812985,'YES');
1 row created.

2 ('Chris', 'White', 10002, 5122358046082560,'YES');
1 row created.

Chapter 7 - Page 27
2 ('Alan', 'Squire', 10003, 5595968943757920,'YES');
1 row created.

2 ('Mike', 'Anderson', 10004, 4929889576357400,'YES');
1 row created.

a ble
2 ('Annie', 'Schmidt', 10005, 4556988708236902,'YES');
f e r
ans
1 row created.
n - t r
a no
h a s
2
m ) eฺ
('Elliott', 'Meyer', 10006, 374366599711820,'YES');
o
a ilฺc Guid
1 row created.
g m ent
t i c a@ Stud
s h this
SQL> insert into cust_payment_info
a
values
2 ('Celine',
f p r ap'Smith',
u s e 10007, 4716898533036,'YES');
i c a ( se to
1 row tcreated.
p a sh licen
ra
ur P
m 2 ('Steve', 'Haslam', 10008, 340975900376858,'YES');
Fla
1 row created.

1 row created.
SQL> create index cust_payment_info_idx

2 on cust_payment_info (credit_card_number);
on cust_payment_info (credit_card_number)
*
ERROR at line 2:
ORA-28338: Column(s) cannot be both indexed and encrypted with
salt

Chapter 7 - Page 28
SQL> exit
$
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 7 - Page 29
Practice 7-3: Implementing Tablespace Encryption
Overview
In this practice, you create an encrypted tablespace and move several tables and the
associated indexes to the encrypted tablespace.
Tasks
1. Ensure you have logged in to the db1 machine using the ssh X forwarding capability to
allow the browser to appear properly. If you have not done so, exit the db1 machine and
access it using Secure Shell with the –X option.
logout
a ble
f e r
ans
n - t r
no
Last login: Wed Dec 14 08:39:50 2016 from 192.0.2.1
[oracle@db1 ~]$
s a
2. Create an encrypted tablespace named ENCTBS, with a file enctbs01.dbf,h
) eฺ a in the same
directory with the rest of the data files: m
coUse theuitablespace.sql
d
/u01/app/oracle/oradata/orcl/enctbs01.dbf.
a i l ฺ G script
to create the encrypted tablespace. m
g den t
c @
a Stu
$ . oraenv
h t i
? orcl is
ORACLE_SID = [oracle]
p a s th to /u01/app/oracle
The Oracle base a
pr to us
has been e set
$ sqlplus /(fas sysdba
h t ica nse
p a s licto: e
P ra Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 -
Connected
r
mu 64bit Production
Fla With the Partitioning, Oracle Label Security, OLAP, Advanced
SQL> @$HOME/labs/ENC/tablespace.sql
SQL> SET ECHO ON
SQL>
SQL> DROP TABLESPACE "ENCTBS"
2 INCLUDING CONTENTS AND DATAFILES
3 /
DROP TABLESPACE "ENCTBS"
*
ERROR at line 1:
ORA-00959: tablespace 'ENCTBS' does not exist

Chapter 7 - Page 30
SQL>
SQL> CREATE TABLESPACE "ENCTBS"
2 DATAFILE '/u01/app/oracle/oradata/orcl/enctbs01.dbf' SIZE
100M
3 EXTENT MANAGEMENT LOCAL
4 SEGMENT SPACE MANAGEMENT AUTO

5 DEFAULT STORAGE (ENCRYPT)
6 ENCRYPTION USING 'AES192'
7 /
Tablespace created.
SQL>
3. Ensure the user dbsnmp is unlocked with a recognizable password to assist registering with a ble
f e r
Oracle Enterprise Manager Cloud Control.
ans
SQL> alter user dbsnmp account unlock identified by oracle_4U;
n - t r
a no
User altered.
h a s
m ) eฺ
o
lฺc Guid
SQL> exit
a i
Disconnected from Oracle Database
g t
m 12cenEnterprise Edition Release
tud Analytics and Real

a@Advanced
With the Partitioning, tOLAP, i c
h this S
a s
ap use
$
f p r
(databasetas
c a e o a target in Enterprise Manager Cloud Control. These are
i
4. Discover the orcl
ht ascinenLesson
the samessteps
s 3.
a a
p Pageli
P r Step Action
r
mu a. Browser Enter the following URL:
Fla https://em13.example.com:7802/em
Log in as sysman with password oracle_4U
b. ‘home’ Click Setup, then click Add Target, then click Add Targets
Manually.
b. Add Targets Click Add Using Guided Process.
Manually
c. Add Using Select Oracle Database, Listener, and Automatic Storage,
Guided then click Add…
Process pop-
up
d. Database Use the Search capability to select db1.example.com host and
Discovery: click Next.
Search
Criteria

Chapter 7 - Page 31
e. Database Select orcl.example.com, enter oracle_4U as the Monitor
Discovery: Password for the database, and click Test Connection. If the
Results test was successful, dismiss the dialog box and click Next.
f. Database Verify the values and click Save.
Discovery:
Review
g. Add Targets Click Targets menu item, click Databases.

Manually
5. Move the HR schema to ENCTBS using Enterprise Manager Cloud Control.
Step Page Action
a. Browser Enter the following URL:
https://em13.example.com:7802/em
a ble
Log in as sysman with password oracle_4U
f e r
ans
b. Enterprise Click Targets, then click Databases. Select orcl and
n - t r
Summary click.
a no
c. orcl.example.com s Objects, then
Click the Schema tab, then click Database
click Reorganize Objects. ) ha
o e ฺ
m idoracle_4U,
d. Database Login Enter Username SYS, c
ilฺ thisGandu Set As Preferred
Password select Role
SYSDBA, optionally asave t
m eDatabase
Credentials@ tudg
SYSDBA n Credentials.
i c a S
a s ht Login.
Click
t h i s
e. Reorganize ap Select e Schema Objects.
r
(fp to Click
Objects: Type s
u Next.
a
tic ense Click Add.
f.
s h
Reorganize
apa Objects:
r g. licObjects
mur P Objects: Add Enter HR as the schema.
Fla
Click Search.
h. Objects: Add Click Select All.
Click Next 10.
Click Select All.
Click Next 5.
Click Select All.
Click OK.
i. Reorganize You should see 23 objects (only 10 will be displayed at a
Objects: Objects. time).
Click Set Attributes By Type.
j. Objects: Set In the Destination Tablespace for the Tables section, select
Attributes By Type “Relocate objects to another tablespace” and enter
ENCTBS.
In the Destination Tablespace for the Indexes section,
select “Relocate objects to another tablespace” and

Chapter 7 - Page 32
enter ENCTBS.
Click OK.
k. Reorganize Click Next.
Objects: Objects
l. Reorganize Accept the defaults.
Objects: Options Click Next.

m. Reorganize Check the report message.
Objects: Impact Click Next.
Report.
n. Reorganize Click New for the host credentials. Set UserName oracle,
Objects: Schedule Password oracle, Confirm Password oracle, change
the Save As string to CREDOS, select Set As Preferred
a ble
Credentials. Optionally click Test.
f e r
Click Next.
ans
o. Reorganize Click Submit job. n - t r
Objects: Review
a no
p. Confirmation Click REORGANIZE_*. h a s
m ) eฺ
q. Execution: Click the Refresh button o
of the
uid periodically until all
ฺc GSucceeded.
browser
REORGANIZE_* the job steps showaailstatus of
gmto reade n t
Execution: Click Log@
c a Report
t u d commands executed by the job.
all
REORGANIZE_*
h t
Click i Done.
i s S
r. On the Job Run:… a s
p Click t h
Logout.
r a s e
page
a (fp to Close u the browser.
6. Connect as HR,
s h ticandedescribe
n se and view the EMPLOYEES table. The encrypted tablespace,
r a p$ asqlplus
including lic is completely transparent to the applications.
the indexes,
ur P
/NOLOG
m
Fla SQL*Plus: Release 12.1.0.2.0 Production on Sun Jan 22 13:32:33
2017
SQL> CONNECT hr@orcl

Connected.
SQL> desc employees

Name Null? Type
------------------------------------ -------- ----------
EMPLOYEE_ID NUMBER(6)
FIRST_NAME VARCHAR2(20)
LAST_NAME NOT NULL VARCHAR2(25)

Chapter 7 - Page 33
EMAIL NOT NULL VARCHAR2(25)
PHONE_NUMBER VARCHAR2(20)
HIRE_DATE NOT NULL DATE
JOB_ID NOT NULL VARCHAR2(10)
SALARY NUMBER(8,2)
COMMISSION_PCT NUMBER(2,2)
MANAGER_ID NUMBER(6)
DEPARTMENT_ID NUMBER(4)
SQL> SELECT * FROM employees

2
a ble
EMPLOYEE_ID FIRST_NAME LAST_NAME
f e r
----------- -------------------- -------------------------
ans
EMAIL PHONE_NUMBER HIRE_DATE JOB_ID
n - t r
o
an
SALARY
ha s
------------------------- -------------------- --------- -------
--- ---------- )
m ideฺ
COMMISSION_PCT MANAGER_ID DEPARTMENT_ID
c o
ailฺ t Gu
-------------- ---------- -------------
m
106 Valli
@ g den
Pataballa
VPATABAL
h t ica is Stu
590.423.4560 05-FEB-98 IT_PROG
4800
p a s th
a
pr to us103 e 60
( f
h t ica nse
p a s lice
ra SQL> SELECT tablespace_name FROM user_segments
ur P WHERE segment_name='EMPLOYEES';
F lam 2
TABLESPACE_NAME
------------------------------
ENCTBS
SQL> EXIT
$
7. Clean up the environment by moving the HR schema back into the EXAMPLE tablespace.
Note: This script was generated by the Reorganize Objects wizard in Enterprise Manager
Cloud Control to move back all HR objects to the EXAMPLE tablespace.
$ $HOME/labs/ENC/back_to_example_tbs.sh
sqlplus sys/oracle_4U@localhost:1521/orcl as sysdba
@$HOME/labs/ENC/back_to_example_tbs.sql

Chapter 7 - Page 34
SQL*Plus: Release 12.1.0.2.0 Production on Sun Jul 7 15:18:26
2013

Connected to:
64bit Production
Analytics
b le
Disconnected from Oracle Database 12c Enterprise Edition Releaseera
a n sf
With the Partitioning, Oracle Label Security, OLAP, Advanced n - tr
Analytics
a no
h a s
$ m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla

Chapter 7 - Page 35
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 7 - Page 36
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 8:
o id
Applying
a ilฺc File
G uEncryption
g m ent
c a @ tu8 d
Chapter
i
ht this S
a s
f p r ap use
a ( to
i c
ht cens e
a s li
r ap
mur P
Fla
Practices for Lesson 8: Applying File Encryption

Chapter 8 - Page 1
Practice 8-1: Using RMAN Backup File Encryption
Overview
Recovery Manager (RMAN) backups to disk can be encrypted.
Assumptions
This practice is performed on the db1 host using the orcl and dbsec database instances. The
keystore wallet has been created as described in Practice 7-1.
Task
1. Configure Recovery Manager (RMAN) to use transparent encryption for the orcl
database. Set the configuration to be a permanent configuration in the control file.
$ . oraenv
a ble
f e r
ans
n - t r
a no
h a s
target database Password: ******
m ) eฺ
o
ilฺc Guid
connected to target database: ORCL (DBID=1345659572)
a
m ent
g
RMAN> select user from dual;
t i c a@ Stud
a s hcontrol
t h isfile instead of recovery catalog
using target database
f p r ap use
USER
a ( to
i c
ht cens e
------------------------------
a s
SYSBACKUP
li
r ap
m ur P RMAN> show all;
Fla
RMAN configuration parameters for database with db_unique_name
ORCL are:
CONFIGURE RETENTION POLICY TO REDUNDANCY 1; # default
CONFIGURE BACKUP OPTIMIZATION OFF; # default
CONFIGURE DEFAULT DEVICE TYPE TO DISK; # default
CONFIGURE CONTROLFILE AUTOBACKUP OFF; # default
CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK TO
'%F'; # default
CONFIGURE DEVICE TYPE DISK PARALLELISM 1 BACKUP TYPE TO
BACKUPSET; # default
CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK TO 1; #
default
CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1; #
default
CONFIGURE MAXSETSIZE TO UNLIMITED; # default

Chapter 8 - Page 2
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
CONFIGURE COMPRESSION ALGORITHM 'BASIC' AS OF RELEASE 'DEFAULT'
OPTIMIZE FOR LOAD TRUE ; # default
CONFIGURE RMAN OUTPUT TO KEEP FOR 7 DAYS; # default
CONFIGURE ARCHIVELOG DELETION POLICY TO NONE; # default

CONFIGURE SNAPSHOT CONTROLFILE NAME TO
'/u01/app/oracle/product/12.1.0/dbhome_1/dbs/snapcf_orcl.f'; #
default
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters:

a ble
CONFIGURE ENCRYPTION FOR DATABASE ON;
f e r
ans
new RMAN configuration parameters are successfully stored
n - t r
RMAN> EXIT a no
$ h a s
m ) eฺ
o
2. Back up the USERS tablespace by using transparent encryption.
uid is not possible.
lฺconlineGbackup
Note: The database is in NOARCHIVELOG mode, so a ian
g m ent
a@ Stud
a. Create a directory to hold the backups.
$ mkdir $HOME/backup tic
a s h this
$ p se
f pra toanduissue
b. Shut down the (database startup mount to perform a cold backup.
a
tic /eas e
ssysdba
h
$ sqlplus
s n
r a pa lic
u r P Connected to:
m
Fla
64bit Production
database closed
database dismounted
Oracle instance shut down
SQL> STARTUP MOUNT
Total System Global Area 501059584 bytes


Chapter 8 - Page 3
Database mounted.
SQL> EXIT
$
c. Use the RMAN BACKUP command to make a backup to
/home/oracle/backup/USERS001.bck. Set tag = transparent so that it can be
specified in the restore command.

Recovery Manager: Release 12.1.0.2.0 - Production on Wed Dec 14

11:02:39 2016

rights reserved.
a ble
f e r
ans
target database Password: *******
n - t r
connected to target database: ORCL (DBID=1454032016, not open)
a no
h a s
RMAN> backup tablespace users
m ) eฺ
o
format '/home/oracle/backup/users001.bck'
a ilฺc Guid
tag 'transparent';
g m ent
2> 3>
t i c a@ Stud
Starting backup at 14-DEC-16
a s hcontrol
t h isfile instead of recovery catalog
using target database
f p r ap ORA_DISK_1
u s e
a (
allocated channel:
channelicORA_DISK_1: to SID=7 device type=DISK
ht ORA_DISK_1:
ns e
p a s
channel
l i c e starting full datafile backup set
r a channel ORA_DISK_1: specifying datafile(s) in backup set
m ur P input datafile file number=00006
Fla name=/u01/app/oracle/oradata/orcl/users01.dbf
channel ORA_DISK_1: starting piece 1 at 14-DEC-16
RMAN-00571:
===========================================================
===============
RMAN-00571:
===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at
12/14/2016 11:02:58
ORA-19914: unable to encrypt backup
RMAN> exit
Recovery Manager complete.


Chapter 8 - Page 4
$
d. Open the keystore.
$ sqlplus / as SYSKM
SQL*Plus: Release 12.1.0.2.0 Production on Wed Dec 14 11:07:00

2016
Connected to:
a ble
64bit Production
f e r
ans
n - t r
a no
h a s
) eฺ
m
o
2
a ilฺc Guid
keystore altered.
g m ent
t i c a@ Stud
SQL> EXIT
a s h this
$
f p r ap use
a ( s'"john@orcl
e. Perform the backup
c
$ rmantitarget e to
s h e n AS SYSBACKUP"'
r a pa lic
ur P 11:08:32 2016
m
Fla
rights reserved.
target database Password:


tag 'transparent';
2> 3>
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=21 device type=DISK

Chapter 8 - Page 5
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006
name=/u01/app/oracle/oradata/orcl/users01.dbf
channel ORA_DISK_1: finished piece 1 at 14-DEC-16

piece handle=/home/oracle/backup/users001.bck tag=TRANSPARENT
comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:25
Finished backup at 14-DEC-16
RMAN>
f. List the encrypted backups. a ble
f e r
RMAN> SELECT tag, encrypted FROM v$backup_piece;
ans
n - t r
TAG ENC
a no
-------------------------------- ---
h a s
TRANSPARENT YES
m ) eฺ
o
lฺc Guid
a i
RMAN>
g m ent
t i c ud to
a@ Stencryption
3. Back up the USERS tablespace using dual-mode
/home/oracle/backup/users002.bck.
a h thisSet tag = dual so that it can be specified in
sencryption
the restore command. Topset e mode and password, use the following
r a s
command:
a (fp ON tIDENTIFIED
o u
t ic nse
SET ENCRYPTION
h
BY "oracle1";
a. Set
p a sencryption
l i c emode and password.
P ra RMAN> SET ENCRYPTION ON IDENTIFIED BY "oracle1";
r
mu
Fla executing command: SET encryption
RMAN>
b. Use the RMAN BACKUP command to make a backup to
/home/oracle/backup/USERS002.bck.
tag 'dual';
2> 3>
using channel ORA_DISK_1

Chapter 8 - Page 6
piece handle=/home/oracle/backup/users002.bck tag=DUAL
comment=NONE
TAG ENC
-------------------------------- ---
TRANSPARENT YES
DUAL YES a ble
f e r
ans
RMAN>
n - t r
o
4. Back up the USERS tablespace using password encryption to
s an
/home/oracle/backup/USERS003.bck. Set tag = password so that it can be
) ha
specified in the restore command. To set encryption mode and password, use the
following command: c o m ideฺ
ailฺ t Gu
SET ENCRYPTION ON IDENTIFIED BY "password1" only;
m
a. Set the password for encryption. @ g den
h t ica is Stu
RMAN> set encryption on identified by "password1" only;
p a s th
a e
pr toSETusencryption
( f
executing command:
h t ica nse
a s lice
RMAN>
p
Pb.r a Use the RMAN BACKUP command to make a backup to
u r
m /home/oracle/backup/USERS003.bck.
Fla RMAN> backup tablespace USERS
format '/home/oracle/backup/USERS003.bck'
tag 'password';
2> 3>
piece handle=/home/oracle/backup/USERS003.bck tag=PASSWORD
comment=NONE

Chapter 8 - Page 7
TAG ENC
-------------------------------- ---
TRANSPARENT YES
DUAL YES
PASSWORD YES
RMAN> EXIT
$
a ble
5. Close the keystore. f e r
ans
n - t r
a no
h a s
2016
m ) eฺ
o uidreserved.
lฺc rights
Copyright (c) 1982, 2014, Oracle. aiAll G
g m ent
t i c a@ Stud
Connected to: a s h this
r p Enterprise
a12c s e
Oracle Database
( f p t o u Edition Release 12.1.0.2.0 -
icaPartitioning,
64bit Production
s t
With hthe
e n se OLAP, Advanced Analytics and Real
a p a
Applicationl i c Testing options
r
ur P
m
Fla
2
keystore altered.
SQL> EXIT
$
6. In another terminal session, remove the USERS tablespace file.
$ . oraenv
$ sqlplus / AS SYSDBA

2016

Chapter 8 - Page 8
Connected to:
64bit Production
SQL> SELECT name FROM v$datafile;
NAME
---------------------------------------------------------------
a ble
f e r
/u01/app/oracle/oradata/orcl/system01.dbf
ans
/u01/app/oracle/oradata/orcl/users01.dbf
n - t r
/u01/app/oracle/oradata/orcl/sysaux01.dbf
a no
/u01/app/oracle/oradata/orcl/undotbs01.dbf
h a s
/u01/app/oracle/oradata/orcl/enctbs01.dbf
m ) eฺ
o
ilฺc Guid
a
m ent
g
a@ Stud
6 rows selected.
t i c
h this
a s
ap use
SQL> EXIT
f p r
$ rm /u01/app/oracle/oradata/orcl/users01.dbf
(
$
i c a e to
t ens
a
7. Attempt toh
s restorei cthe USERS tablespace by using the backup made with transparent
ra p
encryption.
l
Why does it fail?
r P
u Attempt to restore the backup with the transparent tag. The keystore is closed. As a
m
Fla result, the encryption key is not available.

11:18:00 2016

rights reserved.
target database Password:

RMAN> restore tablespace USERS from tag transparent;
Starting restore at 14-DEC-16

Chapter 8 - Page 9
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=7 device type=DISK
channel ORA_DISK_1: starting datafile backup set restore

channel ORA_DISK_1: specifying datafile(s) to restore from

backup set
channel ORA_DISK_1: restoring datafile 00006 to
channel ORA_DISK_1: reading from backup piece
/home/oracle/backup/users001.bck
RMAN-00571:
===========================================================
a ble
f e r
===============
ans
RMAN-00571:
n - t r
===========================================================
a no
a s
RMAN-03002: failure of restore command at 12/14/2016 11:18:59
h
ORA-19870: error while restoring backup piece
m ) eฺ
o
ilฺc Guid
ORA-19913: unable to decrypt backup a
m ent
g
t i c a@ Stud
a s h this
RMAN> p se
f pra tobyuusing
8. Restore the USERS(tablespace password encryption.
The restore froma
tic the e
sneeded.
password-only backup succeeds because the password is provided
a s h e n
and the
r a pRMAN> lic
keystore is not
rP
SET DECRYPTION IDENTIFIED BY "password1";
m u
Fla executing command: SET decryption
RMAN> restore tablespace USERS from tag "password";


backup set
/home/oracle/backup/USERS003.bck

Chapter 8 - Page 10
channel ORA_DISK_1: piece
handle=/home/oracle/backup/USERS003.bck tag=PASSWORD
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:25
Finished restore at 14-DEC-16
RMAN>
9. In your second terminal session, again remove the USERS tablespace datafile.
$
10. Attempt to restore the USERS tablespace by using dual-mode encryption. Why does it fail?
The restore fails because the keystore is not open and the password is not set.
a ble
RMAN> restore tablespace USERS from tag dual;
f e r
ans
n - t r
no
s a
h a
) seteฺrestore
channel ORA_DISK_1: starting datafile backup o m
channel ORA_DISK_1: specifying datafile(s)a ilฺc Gto uidrestore from
backup set g m ent
channel ORA_DISK_1: restoring
t i c S t ud 00006 to
a@ datafile
s h this
a
channel ORA_DISK_1:
f p r ap reading
u s e from backup piece
a (
to
i c
ht cens
RMAN-00571: e
a s
===========================================================
li =============== ERROR MESSAGE STACK FOLLOWS
r apRMAN-00569:
ur P ===============
F lam RMAN-00571:
===========================================================
ORA-19913: unable to decrypt backup
RMAN>

Chapter 8 - Page 11
11. Set the password for dual-mode backup and restore.
To restore from dual-mode backup, either the password must be provided or the keystore
must be open.
RMAN> SET DECRYPTION IDENTIFIED BY "oracle1";
executing command: SET decryption

a ble
f e r
ans
backup set
n - t r
o
an
ha s
channel ORA_DISK_1: reading from backup piece )
m ideฺ
c o
m ailฺ t Gu
g den
handle=/home/oracle/backup/users002.bck tag=DUAL
@
h t ica is Stu
a s th
p
a
pr to us
Finished restore at 14-DEC-16 e
( f
ica nse
RMAN>htexit
$a
p s lice
r a
mur P
12. In your second terminal session, again remove the data file.
Fla $ rm /u01/app/oracle/oradata/orcl/users01.dbf
$
13. Open the encryption keystore.

2016
Connected to:
64bit Production

Chapter 8 - Page 12
2
keystore altered.
SQL> EXIT
$
14. Restore the USERS tablespace by using transparent encryption.
Transparent mode encryption requires the keystore to be open.
a b le
e r
a n sf
11:23:29 2016
n - tr
a no All
Copyright (c) 1982, 2014, Oracle and/or its affiliates.
rights reserved. h a s
m ) eฺ
o
target database Password: a ilฺc Guid
connected to target database: g ORCL e t
m (DBID=1454032016,
n not open)
a @ t u d
s h ticUSERSi s S
RMAN> restore tablespace
p a e t h from tag transparent;
( f p ra us
Starting a
i c restore at
e to 14-DEC-16
s
using
a httarget c e s
ndatabase control file instead of recovery catalog
p l i
a allocated channel: ORA_DISK_1
r
ur P channel ORA_DISK_1: SID=21 device type=DISK
F lam
backup set
handle=/home/oracle/backup/users001.bck tag=TRANSPARENT
RMAN>

Chapter 8 - Page 13
15. In your second terminal session, again remove the data file and close the terminal window.
$ exit
16. Attempt to restore the USERS tablespace by using password-encrypted backup without
supplying the password.

The password-encrypted backup must have a password set in the session.
RMAN> restore tablespace USERS from tag "password";

a ble
f e r
ans
backup set
n - t r
o
/u01/app/oracle/oradata/orcl/users01.dbf s an
channel ORA_DISK_1: reading from backup piece ) ha
c o m ideฺ
RMAN-00571:
m ailฺ t Gu
g den
===========================================================
@
t ica is Stu
h
===============
p a s th
RMAN-00571: a
pr to us e
( f
===========================================================
t ica nse
h
p a s lice
r a
ur P
ORA-19913: unable to decrypt backup
m
Fla
RMAN>
17. Restore dual-mode backup without a password.
Dual-mode encrypted backup uses either the keystore or the password.


backup set

Chapter 8 - Page 14
handle=/home/oracle/backup/users002.bck tag=DUAL
RMAN>
18. Recover the USERS tablespace, open the database, and then exit Recovery Manager.
RMAN> recover tablespace USERS;
a ble
Starting recover at 14-DEC-16
f e r
ans
n - t r
o
an
starting media recovery
media recovery complete, elapsed time: 00:00:01
ha s
)
m ideฺ
c o
ailฺ t Gu
Finished recover at 14-DEC-16
m
g den
RMAN> ALTER DATABASE OPEN; @
h t ica is Stu
p a s th
Statement processed
a
pr to us e
( f
ica nse
RMAN> tEXIT
h
$ as i c e
r a p l
mur P
Fla

Chapter 8 - Page 15
Practice 8-2: Exporting Encrypted Data
Overview
In this practice, you perform various data pump export operations by using different parameters
for encryption. This helps you understand that you may export data in an unsecure manner.
Assumptions
In Practice 7-1 you successfully completed the creation of a password-based keystore in dbsec
and the generation of master keys for each PDB in dbsec.
Tasks
1. Execute the $HOME/labs/ENC/create_tables_pdb1.sql script to create a table with
an encrypted column in the pdb1 pluggable database.
a ble
$ . oraenv
f e r
ans
n - t r
no
s a
h a
SQL*Plus: Release 12.1.0.2.0 Production m on) Wed Dec ฺ 14 11:31:17
c o i d e
ailฺ t Gu
2016
m
g dAll e nrights reserved.
@
ic is Stu
Copyright (c) 1982, 2014, aOracle.
s h t
a p a e th
Connected to: ( f pr to us
ca nse12c Enterprise Edition Release 12.1.0.2.0 -
OracletiDatabase
h
p a s Production
64bit
l i c e
r a With the Partitioning, OLAP, Advanced Analytics and Real
ur P Application Testing options
F lam
SQL> @$HOME/labs/ENC/create_tables_pdb1.sql
SQL>
SQL> connect system/oracle_4U@localhost:1521/pdb1.example.com
Connected.
SQL> ALTER USER oe IDENTIFIED BY oracle_4U ACCOUNT UNLOCK;
User altered.
SQL> grant create any directory to oe;
Grant succeeded.
SQL>
SQL> connect system/oracle_4U@localhost:1521/pdb2.example.com

Chapter 8 - Page 16
Connected.
SQL> ALTER USER oe IDENTIFIED BY oracle_4U ACCOUNT UNLOCK ;
User altered.
SQL> grant create any directory to oe;
Grant succeeded.
SQL>
SQL> connect oe/oracle_4U@localhost:1521/pdb1.example.com
Connected.
a ble
SQL> create directory dp as '/tmp';
f e r
ans
Directory created.
n - t r
a no
a s
SQL> connect oe/oracle_4U@localhost:1521/pdb2.example.com
h
Connected. m ) eฺ
SQL> create directory dp as '/tmp';ilฺc o uid
a
m ent G
g
Directory created.
t i c a@ Stud
a s h this
SQL>
f p r ap use
SQL> connect
a ( oe/oracle_4U@localhost:1521/pdb1.example.com
to
i c
t ens
hdrop
Connected. e
a s lictable cust_payment_info;
r ap
SQL>
ur P
drop table cust_payment_info
m *
Fla ERROR at line 1:

2 (first_name varchar2(11),
3 last_name varchar2(10),
5 credit_card_number varchar2(20) ENCRYPT,
Table created.
SQL>

Chapter 8 - Page 17
2 ('Jon', 'Oldfield', 10001, 5105105105105100,'YES');
1 row created.

2 ('Chris', 'White', 10002, 6011111111111117,'YES');
1 row created.

2 ('Alan', 'Squire', 10003, 378282246310005,'YES');
a ble
f e r
1 row created.
ans
n - t r
a no
2 a
('Mike', 'Anderson', 10004, 6011000000000004,'YES');
h s
m ) eฺ
o
1 row created.
a ilฺc Guid
g m ent
SQL> insert into cust_payment_info
t i c a@ Studvalues
2 ('Annie', 'Schmidt',
a s h th10005,
is 4111111111111111,'YES');
f p r ap use
1 row created.
a ( to
i c
t ens
hinsert e
a s lic into cust_payment_info values
r ap
SQL>
ur P
2 ('Elliott', 'Meyer', 10006, 4222222222222,'YES');
m
Fla 1 row created.

2 ('Celine', 'Smith', 10007, 343434343434343,'YES');
1 row created.

2 ('Steve', 'Haslam', 10008, 6011000990139424,'YES');
1 row created.


Chapter 8 - Page 18
1 row created.
SQL>
SQL> COMMIT;
Commit complete.
SQL> exit
$
2. Export the OE.CUST_PAYMENT_INFO table that holds one encrypted column.
$ expdp oe@pdb1 tables=cust_payment_info directory=dp
a ble
REUSE_DUMPFILES=YES
f e r
a n s
Export: Release 12.1.0.2.0 - Production on Wed Dec n -t r
14 11:33:13
2016 n o
s a
a
) haffiliates.
Copyright (c) 1982, 2014, Oracle and/or its
o m e ฺ All
rights reserved.
a ilฺc Guid
Password:
g m ent
c a@ 12c d
tuEnterprise
t i
h this
Connected to: Oracle Database S Edition Release
s
12.1.0.2.0 - 64bitaProduction
f p r
With the Partitioning,ap usOLAP,
e Advanced Analytics and Real
Application a ( Testingto options
h i c se
t "OE"."SYS_EXPORT_TABLE_01":
n
a s
Starting
lic e
ptables=cust_payment_info
oe/********@pdb1
ra Estimate directory=dp REUSE_DUMPFILES=YES
mur P in progress using BLOCKS method...
Fla
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type
TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
. . exported "OE"."CUST_PAYMENT_INFO" 7.203
KB 9 rows
ORA-39173: Encrypted data has been stored unencrypted in dump
file set.
Master table "OE"."SYS_EXPORT_TABLE_01" successfully
loaded/unloaded
****************************************************************
**************
Dump file set for OE.SYS_EXPORT_TABLE_01 is:
/tmp/expdat.dmp

Chapter 8 - Page 19
Job "OE"."SYS_EXPORT_TABLE_01" successfully completed at Wed Dec
14 11:34:04 2016 elapsed 0 00:00:32
$
Notice the warning message: ORA-39173: Encrypted data has been stored
unencrypted in dump file set.

This clearly warns you that the data exported from the OE.CUST_PAYMENT_INFO table is
stored in clear text in the export dump file. The data pump export operation decrypted the
data to export it into the dump file.
3. Use dual encryption mode.
$ expdp oe@pdb1 tables=cust_payment_info encryption_mode=dual
directory=dp REUSE_DUMPFILES=YES
ab le
Export: Release 12.1.0.2.0 - Production on Wed Dec 14 11:35:07 fer
2016 a n s
n -t r
o
n All
Copyright (c) 1982, 2014, Oracle and/or its affiliates.
s a
rights reserved.
) ha
Password:
c o m ideฺ
a ilฺ Gu
Connected to: Oracle Database g m e n t
12c Enterprise Edition Release
@ d
tu Analytics and Real
ica isAdvanced
With the Partitioning, h t
soptionsth
OLAP, S
p a
use
Application Testing
f pra tooperation
ORA-39002: (invalid
t i
ORA-39050:
h ca parameter
n s e ENCRYPTION is incompatible with parameter
a s lice
ENCRYPTION_MODE
p
r a
ur P $
F lam By default, the ENCRYPTION parameter, when not explicitly defined, sets the scope of
encryption to columns only. This encryption scope is incompatible with dual mode
encryption export.
4. Set the ENCRYPTION parameter explicitly to a compatible value.
encryption=data_only directory=dp REUSE_DUMPFILES=YES
Export: Release 12.1.0.2.0 - Production on Wed Dec 14 11:36:33

2016

rights reserved.
Password:
Connected to: Oracle Database 12c Enterprise Edition Release


Chapter 8 - Page 20
ORA-39002: invalid operation
ORA-39174: Encryption password must be supplied.
$
The ENCRYPTION parameter sets the scope of encryption to a value compatible with the
encryption scope, but the dual mode requires the keystore to be opened and a password
explicitly defined. The operation will export data only.
encryption=data_only encryption_password="welcome1"
directory=dp dumpfile=reuse
b le
Export: Release 12.1.0.2.0 - Production on Wed Dec 14 11:37:44 era
2016
a n sf
n - tr
Copyright (c) 1982, 2014, Oracle and/or its affiliates. a no All
rights reserved.
h a s
Password: m ) eฺ
o
a ilฺc Guid
Connected to: Oracle Database 12c
g m Enterprise
e n t Edition Release
t i c S tud Analytics and Real
a@Advanced
With the Partitioning,
a s h this
OLAP,
ap use
f p r
Starting "OE"."SYS_EXPORT_TABLE_01":
( oe/********@pdb1
t o
h t ica nse encryption_password=******** directory=dp
tables=cust_payment_info encryption_mode=dual
p a s lice
encryption=data_only
dumpfile=reuse
r a
ur P
Estimate in progress using BLOCKS method...
m Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Fla Total estimation using BLOCKS method: 64 KB
KB 9 rows
loaded/unloaded
****************************************************************
**************
/tmp/reuse.dmp
14 11:38:09 2016 elapsed 0 00:00:20

Chapter 8 - Page 21
$
5. Use the same parameters to export metadata only.
encryption=metadata_only encryption_password="welcome1"

2016

rights reserved.
Password:
a ble
f e r
ans
n - t r
o
an
s
) ha
c o m ideฺ
Starting "OE"."SYS_EXPORT_TABLE_01": oe/********@pdb1
ailฺ t Gu
tables=cust_payment_info encryption_mode=dual
m
encryption=metadata_only encryption_password=********
g den
@
t ica is Stu
h
p a s th
a
pr to us e
f
(
h t ica nse
a s lice
p
r a TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
mur P Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Fla
KB 9 rows
ORA-39173: Encrypted data has been stored unencrypted in dump
file set.
loaded/unloaded
****************************************************************
**************
/tmp/expdat.dmp
14 11:39:40 2016 elapsed 0 00:00:08
$
Notice the warning message: ORA-39173: Encrypted data has been stored
unencrypted in dump file set.

Chapter 8 - Page 22
This clearly warns you that the data exported from the OE.CUST_PAYMENT_INFO table is
stored in clear text in the export dump file. The data pump export operation kept encrypted
the metadata only as requested in the command.
6. The SYSKM administrator decides to temporarily close the keystore for an administrative
keystore maintenance task.

2016
a ble
Connected to:
f e r
ans
64bit Production n - t r
a
With the Partitioning, OLAP, Advanced Analytics and Real no
h a s
m ) eฺ
o
ilฺc Guid
a
g m ent
CONTAINER=ALL;
2 3
t i c a@ Stud
keystore altered.
a s h this
SQL> exit (fpr
ap use
i c a e to
$
a s ht mode.c e ns
r a p
7. Export in dual li
ur P
m encryption=data_only encryption_password="welcome1" directory=dp
Fla REUSE_DUMPFILES=YES
Password: ******
Export: Release 12.1.0.2.0 - Production on Thu May 30 06:54:18

2013

rights reserved.

ORA-39188: unable to encrypt dump file set

Chapter 8 - Page 23
$
Dual mode requires that the keystore be opened.
8. The keystore is still closed but you need to export in a secure mode.
a. Use PASSWORD mode.
$ expdp oe@pdb1 tables=cust_payment_info

encryption_mode=password encryption_password="welcome1"
encryption_pwd_prompt=YES directory=dp REUSE_DUMPFILES=YES
2016

rights reserved.
a ble
f e r
Password:
ans
n - t r
12.1.0.2.0 - 64bit Production a no
With the Partitioning, OLAP, Advanced Analytics and Realh a s
m ) eฺ
o
a ilฺc Guid
UDE-00011: parameter encryption_password is incompatible with
parameter encryption_pwd_prompt
g m ent
t i c a@ Stud
$
a s h this
encryption_password r p encryption_pwd_prompt=YES
aand s e are incompatible.
b. Restart the a ( f p o u
t the password. Enter welcome1 when prompted for the
operation without
t i c s e
p a sh oe@pdb1
encryption
l i c en tables=cust_payment_info
password.
Pra encryption_mode=password ENCRYPTION_PWD_PROMPT=YES directory=dp

$ expdp
u r
l a m REUSE_DUMPFILES=YES
F
2016

rights reserved.
Password: *******

Encryption Password: *******

Chapter 8 - Page 24
Starting "OE"."SYS_EXPORT_TABLE_01": oe/********@pdb1
tables=cust_payment_info encryption_mode=password
ENCRYPTION_PWD_PROMPT=YES directory=dp REUSE_DUMPFILES=YES

ORA-31693: Table data object "OE"."CUST_PAYMENT_INFO" failed to
load/unload and is being skipped due to error:
ORA-29913: error in executing ODCIEXTTABLEPOPULATE callout
a ble
f e r
ans
loaded/unloaded
n - t r
****************************************************************
a no
**************
h a s
m ) eฺ
o
/tmp/expdat.dmp
a ilฺc Guid
m ent
Job "OE"."SYS_EXPORT_TABLE_01" completed with 1 error(s) at Wed
g
Dec 14 13:03:23 2016 elapsed 0 00:00:14
t i c a@ Stud
$
a s h this
ENCRYPTION_PASSWORD specifies
r a p saekey for re-encrypting encrypted table columns so that
they are not written as
( f p ttext
clear
o uin the dump file set.
h ti a before
Notice that thecdata
using theskeystore
has not
n s been exported. The data needs to be decrypted during export
ebeing re-encrypted into the dump file using the password. This
e to be opened.
p a
requires l i c
the keystore
u r Pc.ra Open the keystore and retry.

l a m $ sqlplus / as SYSKM
F
2016
Connected to:
64bit Production

CONTAINER=ALL;

Chapter 8 - Page 25
2 3
keystore altered.
SQL> exit
$
d. Enter welcome1 when prompted for the encryption password.

$ expdp oe@pdb1 tables=cust_payment_info
encryption_mode=password ENCRYPTION_PWD_PROMPT=YES directory=dp
REUSE_DUMPFILES=YES

2016
a ble
f e r
ans
rights reserved.
n - t r
Password: ******
a no
h a s
Connected to: Oracle Database 12c Enterprise
m ) eฺ Release
Edition
l ฺ o uid
cAnalytics
With the Partitioning, OLAP, Advanced a i G and Real
Application Testing options gm n t
c a @ tude
Encryption Password:sh
t i
****** is
S
a
p se t h
f p r a
Starting "OE"."SYS_EXPORT_TABLE_01":
u oe/********@pdb1
(
tables=cust_payment_info
a to encryption_mode=password
h i c
t ens
ENCRYPTION_PWD_PROMPT=YESe directory=dp REUSE_DUMPFILES=YES
a s
Estimate
p l i
inc progress using BLOCKS method...
r a
ur P
m Total estimation using BLOCKS method: 64 KB

Fla Processing object type TABLE_EXPORT/TABLE/TABLE
KB 9 rows
loaded/unloaded
****************************************************************
**************
/tmp/expdat.dmp
14 13:06:59 2016 elapsed 0 00:00:08

Chapter 8 - Page 26
Practice 8-3: Importing Encrypted Data
Overview
In this practice, you import the OE.CUST_PAYMENT_INFO table that holds one encrypted
column into another PDB of dbsec.
Assumptions
The last export operation successfully completed in Practice 8-2.
Tasks
1. The SYSKM administrator decides to temporarily close the keystore for an administrative
keystore maintenance task.
a ble
f e r
ans
2016 n - t r
a no
Copyright (c) 1982, 2014, Oracle. All rights areserved.
h s
m ) eฺ
o
Connected to:
a ilฺc Guid
Oracle Database 12c Enterprisegm
e t
EditionnRelease 12.1.0.2.0 -
@ tu d
64bit Production
h t ica isAdvanced
S
a s OLAP,
t h Analytics and Real
Application Testing
f p r ap useoptions
a ( to MANAGEMENT SET KEYSTORE CLOSE

i c
ht cens
SQL> ADMINISTER eKEY
a s li
ap
r
ur P
CONTAINER=ALL;
m 2 3
Fla keystore altered.
SQL> exit
$
2. Import the OE.CUST_PAYMENT_INFO table into pdb2 of dbsec. The
OE.CUST_PAYMENT_INFO table does not exist in pdb2.
a. If it exists, drop the table.
$ sqlplus system@pdb2

SQL> drop table oe.cust_payment_info;
Table dropped.

Chapter 8 - Page 27
SQL> EXIT
$
b. Use the impdp command.

$ impdp oe@pdb2 tables=cust_payment_info directory=dp
…
Password: ******
…
a ble
f e r
ans
$ n - t r
a no
c. The export operation used a password to encrypt data in the dump file. The import
h a s
operation requires the same password to decrypt the data. Deliberately enter an
incorrect password, such as oracle_4u. m ) eฺ
o
a
$ impdp oe@pdb2 tables=cust_payment_info ilฺc Guid
g m ent
ENCRYPTION_PWD_PROMPT=YES directory=dp
t i c a@ Stud
Password: ******
a s h this
f p r ap use
( 12.1.0.2.0
Import: Release to - Production on Wed Dec 14 13:14:57
2016 tica e
a s h cens
r ap li
ur P
rights reserved.
m
Fla Password:

Encryption Password:
ORA-39176: Encryption password is incorrect.

Chapter 8 - Page 28
d. This time, enter the same password (welcome1) used by the export operation. If you
use the wrong password, the import fails.
$ impdp oe@pdb2 tables=cust_payment_info
Password: ******

Encryption Password:
a ble
Master table "OE"."SYS_IMPORT_TABLE_01" successfully
f e r
loaded/unloaded
ans
Starting "OE"."SYS_IMPORT_TABLE_01": oe/********@pdb2 n - t r
o
an
tables=cust_payment_info ENCRYPTION_PWD_PROMPT=YES directory=dp
s
) ha
c o m ideฺ
ORA-39083: Object type TABLE:"OE"."CUST_PAYMENT_INFO" failed to
ailฺ t Gu
create with error:
m
g den
@
ica is Stu
Failing sql is:
h t
CREATE TABLE "OE"."CUST_PAYMENT_INFO" ("FIRST_NAME" VARCHAR2(11
s
p a th
BYTE), "LAST_NAME" VARCHAR2(10 BYTE), "ORDER_NUMBER"
a e
( f pr to us
NUMBER(5,0), "CREDIT_CARD_NUMBER" VARCHAR2(20 BYTE) ENCRYPT
ica nse
USING 'AES192' 'SHA-1', "ACTIVE_CARD" VARCHAR2(3 BYTE)) SEGMENT
h t
CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255
s lice
a p a
NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS
r 1 MAXEXTENTS
mur P Processing object type TABLE_EXPORT/TABLE/TABLE_DATA

Fla Processing object type
Job "OE"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at Wed
Dec 14 13:14:36 2016 elapsed 0 00:00:38
$
The table is created with a CREDIT_CARD_NUMBER column, which holds the ENCRYPT
attribute. The password is required to decrypt the values of the CREDIT_CARD_NUMBER
column stored in the dump file and requires the keystore to be opened to re-encrypt the
values in the data file where the table segment is stored.

Chapter 8 - Page 29
e. Ask the SYSKM administrator to open the keystore.
…
CONTAINER=ALL;
2 3
keystore altered.
SQL> exit
$
f. Re-attempt the import operation.
a ble
f e r
ans
…
n - t r
Import: Release 12.1.0.2.0 - Production on Wed Dec 14 13:19:09
a no
2016
h a s
m ) eฺ
Copyright (c) 1982, 2014, Oracle and/or
l ฺ c o its
u id
affiliates. All
i
rights reserved.
g ma ent G
a@ Stud
Password: *******
t i c
hDatabase
a s t h is12c Enterprise Edition Release
ap Production
Connected to: Oracle
12.1.0.2.0 - 64bit
p r u s e
With the a ( f to OLAP, Advanced Analytics and Real
i c
ht ceTesting
Application ns e
Partitioning,
options
a s li
r ap
mur P Encryption Password: *******
Fla
loaded/unloaded
Starting "OE"."SYS_IMPORT_TABLE_01": oe/********@pdb2
. . imported "OE"."CUST_PAYMENT_INFO" 7.210
KB 9 rows
Job "OE"."SYS_IMPORT_TABLE_01" successfully completed at Wed Dec
14 13:19:34 2016 elapsed 0 00:00:20

Chapter 8 - Page 30
3. Consider that the OE.CUST_PAYMENT_INFO table already existed in pdb2 of dbsec
without the ENCRYPT attribute.
a. Drop and re-create the table without the ENCRYPT attribute.
$ sqlplus oe@pdb2
Enter password : ******
SQL> DROP TABLE OE.CUST_PAYMENT_INFO PURGE;
Table dropped.

( first_name varchar2(11),
a ble
last_name varchar2(10),
f e r
order_number number(5),
ans
credit_card_number varchar2(20),
n - t r
active_card varchar2(3));
a no
2 3 4 5 6
h a s
Table created. m ) eฺ
o
a ilฺc Guid
SQL> g m ent
b. The SYSKM administrator closes c a@
the forda maintenance operation.
keystoretu
t i
h this S
SQL> CONNECT / as a s
SYSKM
Connected.
f p r ap use
a ( KEYto MANAGEMENT SET KEYSTORE CLOSE
c
t ense
SQL> ADMINISTER
h i
p a s l i c IDENTIFIED BY secret_dbsec
P ra 2 3 CONTAINER=ALL;
mur
Fla keystore altered.
SQL> exit
$
c. Use the impdp command to import the OE.CUST_PAYMENT_INFO table.
$ impdp oe@pdb2 tables=cust_payment_info directory=dp
…
Password: ******
…
$

Chapter 8 - Page 31
d. The export operation used a password to encrypt data in the dump file. The import
operation requires the same password to decrypt the data.
TABLE_EXISTS_ACTION=truncate
Password: ******

Encryption Password: ******

a ble
f e r
loaded/unloaded
ans
Starting "OE"."SYS_IMPORT_TABLE_01": oe/********@pdb2
n - t r
o
an
TABLE_EXISTS_ACTION=truncate
ha s
Processing object type TABLE_EXPORT/TABLE/TABLE )
m ideฺ
c o
ailฺ t Gu
Table "OE"."CUST_PAYMENT_INFO" exists and has been truncated.
Data will be loaded but all dependent metadata will be skipped
m
g den
due to table_exists_action of truncate
@
h t ica is Stu
a s th
. . imported "OE"."CUST_PAYMENT_INFO"
p
7.210
KB 9 rows a
pr to us e
( f
ica nse
h t
s lice
a p a
r
ur P
Job "OE"."SYS_IMPORT_TABLE_01" successfully completed at Wed Dec
14 13:22:56 2016 elapsed 0 00:00:15
m
Fla
$
Notice that even if the keystore is closed, the import operation does not need it. The
password is sufficient to decrypt the data in the dump file. The decrypted data is not re-
encrypted because the table does not hold an ENCRYPT column.

Chapter 8 - Page 32
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 9
o uid Key Vault
a ilฺc Oracle
Installing G
g m ent
c a @ tu9 d
Chapter
i
ht this S
a s
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
Practices for Lesson 9 Installing Oracle Key Vault

Chapter 9 - Page 1
Assumptions
Due to the memory requirements of the Oracle Key Vault, the em13 and cl1 virtual machines
should be shut down, as described at the end of the Practice 8.
Practices Overview
In these practices, you install Oracle Key Vault version 12.2 and perform basic configuration.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 9 - Page 2
Practice 9-1: Introduction
Tasks
1. As self-assessment, choose the right definition for each term:
a. Oracle Key Vault
b. Endpoint
c. Virtual wallet
1. Can be a database server, middleware server, or generic server system that contains
the keys that you want to manage with Oracle Key Vault
2. Is a container for security objects in Oracle Key Vault that you upload from endpoints to
share access by group of servers
3. Is a software appliance that consists of a pre-configured operating system, an Oracle
a ble
database, and an APEX application f e r
ans
n - t r
2. If you have access to outside Internet connections, locate the Oracle Key Vault o
documentation on the Oracle Help Center.
s an
ha
a. Open a browser and enter the URL http://docs.oracle.com.
)
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P r a
r
u b. Locate and click the Database user assistance icon.
m
Fla

Chapter 9 - Page 3
c. Because Oracle Key Vault is a separate appliance, click on Related Products.
d. Scroll to the Oracle Key Vault section and click the Release 12.2 link.
e. If time permits, review the Oracle Key Vault Installation and Configuration information
in Key Vault Administrator’s Guide. Determine the minimum hardware configuration
required for the Oracle Key Vault installation.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla

Chapter 9 - Page 4
Practice 9-2: Installation and Post-Installation Videos
Overview
In this practice, you will watch the installation and post-installation videos. These videos
demonstrate similar steps to the following practices, in case the practice cannot be performed
due to time or equipment limitations.
Your instructor will advise you whether the Virtual Machine environment can be used to run the
Oracle Key Vault lab steps.
Tasks
1. If necessary, log on to the host desktop as user oracle. Change to the Videos directory.
$ cd Videos
2. Use the vlc program to watch the ovk_install.mp4 video, which demonstrates the
a ble
Practice 9-3 installation steps. Any messages from vlc may be ignored.
f e r
ans
$ vlc okv_install.mp4
n - t r
3. Use the vlc program to watch the ovk_post_install.mp4 video, which demonstrates o
the Practice 9-4 post installation steps.
s an
$ vlc okv_post_install.mp4 ) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 9 - Page 5
Practice 9-3: (Optional) Installing Oracle Key Vault
Overview
In this practice, you install the Oracle Key Vault from DVD. This involves booting the Key Vault
machine into install mode and responding to a few basic questions. The process copies the
required files from DVD to disk. You then remove the DVD and reboot the machine to finalize
the configuration. Because these two major operations take up to 45 minutes with limited user
interaction, you may wish to review the steps in this practice and start at Practice 9-3.
Tasks
1. Log in, or return to the virtual machine host.
2. Verify that only the database virtual machine and the control domains (Domain-0) are
running.
a ble
[Host Desktop]$ sudo xm list
f e r
ans
Domain-0 0 1024 2
n - t
r----- 322348.3r
db1 1 3072
a no 1 -b---- 113232.9
em13 12
h a s
9216 2 -b---- 36465.1
[Host Desktop]$ m ) eฺ
o id by logging on as
ilฺc down
a. If the em13 or cl1 machines are running, shut them
a G ugracefully
root and issuing the shutdown –P now g m
command.
e n t
[Host Desktop]$ ssh -l root
t i c a@em13Stud
root@em13's password:
a s h this
Last login: Fri r p 9 s04:50:07
aDec e 2016 from 192.0.2.1
( f p o u
[root@em13
t i c a se t
~]# shutdown -P now
p a sh licmessage
en from [email protected]
P ra Broadcast
u r (/dev/pts/0) at 5:18 ...

m
Fla The system is going down for power off NOW!
[root@em13 ~]# exit
logout
Connection to em13 closed.
[Host Desktop]$
b. Use the xm list command to verify that the additional machines are down. A graceful
shutdown of the em13 machine may take several minutes.
Domain-0 0 1024 2 r----- 322461.1
db1 1 3072 1 -b---- 113359.6
[Host Desktop]$

Chapter 9 - Page 6
3. Start the Oracle Key Vault machine and establish a console.
a. Start the virtual machine and verify that it is running
$ sudo xm create /OVS/running_pool/okv/vm-install.cfg
Using config file "/OVS/running_pool/okv-/vm-install.cfg".
Started domain okv (id=22)
[Host Desktop]$ $ sudo xm list

Domain-0 0 1024 2 r----- 324579.2
db1 1 3072 1 -b---- 115119.7
okv 22 4096 1 -b---- 0.4
[Host Desktop]$
b. Determine the VNC port. The connection number is the last digit of the port location.
a ble
[Host Desktop]$ sudo xm list -l okv | grep location f e r
ans
(location 0.0.0.0:5903)
n - t r
(location 3)
a no
[Host Desktop]$
h a s
c. Open the VNCViewer.
m ) eฺ
o
[Host Desktop]$ vncviewer &
a ilฺc Guid
TigerVNC Viewer 64-bit v1.3.0 (20130704)
g m ent
Built on Jul 4 2013 at 12:44:25
t i c ud and many others (see
a@ StTeam
Copyright (C) 1999-2011
a s h this
TigerVNC
ap use for information on TigerVNC.

README.txt)
f p r
See http://www.tigervnc.org
(
i c a
d. After determining thate toVNC console is running on port 5903, or Connection 3, enter
the
a s ht ceinnthe
localhost:3
s VNC Server field and click Connect.
r a p li
mur P
Fla

Chapter 9 - Page 7
e. You should now have access to the Key Vault installation console.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o uid(wipes system) and
4. Using the arrow keys on your keyboard, select and a ilฺc G
highlight Install
g
press Enter. The screen will scroll initialization
m e n
information
tsimilar to the first screenshot,
c a@to the
and proceed to Package Installationisimilar
d screenshot.
tusecond
s t
h this S
a
ap use
( f p r
i c a e to
a s ht cens
r a p li
mur P
Fla
In the development environment for the course, this took 15-20 minutes. After the core
installation is complete, you will be prompted for an installation passphrase.

Chapter 9 - Page 8
a ble
f e r
a n s
n
5. Enter a passphrase and record it carefully because it will be required several times,
r
-t and is
also the emergency access code. n o
s a
) ha offrom
It must contain 8 or more characters and contains at least one of each
uppercase letter, a lowercase letter, a number, and a special character
the following: an
the set: period
o e ฺ
m A reasonable
(.), comma (,), underscore (_), plus (+), colon (:) andcspace.
i l ฺ u id example would
be: My passcode is No 1.
m a t G
Because the mouse has no effect on the @ g
console, use n
dethe Tab key to highlight OK and
press Enter. i c a S t u
a
6. On the Confirm Passphrase screen,s ht enter
t h i
thes passphrase again, press Tab to the highlight
OK, and press Enter rap e
7. On the Successa (fppresstEnter
page, o us
h
8. On the Select
s ticNetwork
e n se page, you should have only one interface (network card)
Interface
pa If necessary,
identified.
r a lic use the Up and Down keys to select the line, and press Enter.
mur P
Fla

Chapter 9 - Page 9
9. Ensure Use this device as the network interface is selected and press Enter
to proceed.
a ble
f e r
ans
n - t r
o
an
10. Enter the IP address 192.0.2.22, ensure the Network Mask is set to 255.255.255.0,
and set the Gateway to 192.0.2.1.
ha s
)
m ideฺ
c o
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
11. Tab to the Reboot line and press Enter. The VNC console is lost during the reboot. If you
were to re-establish that console you would see that you are returned to the initial install
screen.
Because there is no DVD eject capability, the VM will continue to boot from the DVD to the
first install screen. You must stop the VM and switch to another configuration.
12. In a terminal window, shut down the VM and verify it is down.
[Host Desktop]$ sudo xm shutdown -w okv
Domain okv-install terminated
All domains terminated
Domain-0 0 1024 2 r----- 323582.5
db1 1 3072 1 ------ 114374.3

Chapter 9 - Page 10
[Host Desktop]$
13. Start the virtual machine again by using a different configuration file to continue.
a. Optional: If you experienced any difficulty with the installation up to this point, you can
install a copy of the image. Because this extracts a large file, it may take several
minutes.
[Host Desktop]$ sudo su -

[Host Desktop]# cd /OVS/running_pool/okv
[Host Desktop]# ./okv_setup.sh
This script installs the Oracle Key Vault disk image
in preparation for specific tasks in the course.
Select one of the following:

a ble
f e r
0 - abort/exit
ans
1 - ready to install Oracle Key Vault
n - t r
2 - ready for first boot
a no
3 - ready for post-install configuration
h a s
4 - ready for Key Vault operations
m ) eฺ
o
lฺc Guid
a i
Note that this will replace your
g mcurrent
e n t okv_disk1of1.img image.
@ d
Enter your selection h t ica 2is Stu
Confirm that you p a s to set
(0-4):
th up for first boot: (y/n) y
a want e
pr to us and extracting first boot image
( f
Removing okv_disk1of1.img
a se
Done. tic
a h
s Desktop]#
c en exit
a p
[Host l i
Pb.r Start up the virtual machine by using the standard VM configuration.
u r
m
Fla
[Host Desktop]$ sudo xm create okv
Using config file "/etc/xen/okv".
Domain-0 0 1024 2 r----- 324665.0
db1 1 3072 1 -b---- 115193.7
okv 23 4096 1 r----- 8.3
[Host Desktop]$

Chapter 9 - Page 11
14. Open another VNC session, as you did in step 3d and 3e. It is likely that the same
connection and port is used.
If the message “Unable connect to socket:” is received, review step 3c to determine the
new port.
A basic screen with various status updates on line 3 appears for a significant time. (It took
40 minutes in the development environment.) When the installation is complete, the
following is displayed.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
15. Browse the various selections in the console.gWhen m finished,
e n t scroll down to the Power Off
setting click Enter. You will be challenged
c a@with thet d
upasscode you created earlier and the
t i S
sh tfor
machine will power-off. The passphrase
including the final period. pa h isa restored image is My passcode is No 1.
f p r a use
a ( to
i c
ht cens e
p a s li
r a
u rP
m
Fla
16. Verify that the virtual machine is off by using the sudo xm list command. This should be
familiar by now.

Chapter 9 - Page 12
Practice 9-4: Oracle Key Vault Post-install Tasks
Overview
In this practice, you start Oracle Key Vault that has just been installed, and perform the required
post-install tasks. After the machine has been started, all tasks are performed in the browser.
Tasks
1. Optional: If you experienced any difficulty with the installation up to this point, or decided to
skip Practice 9-2, you can install a copy of the image needed for this practice. Because this
extracts a large file, it may take several minutes.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
0 - abort/exit
o
a ilฺc Guid
2 - ready for first boot g m ent
3 - ready for post-install
t i c a@ tud
configuration
S
4 - ready for Key Vault
a s h operations
t h is
f p r ap use
Enter your (selection to (0-4): 3
i c a e
a s ht that
Confirm
c e s want to set up for post-install: (y/n) y
nyou
rapRemoving liokv_disk1of1.img and extracting post-install image
mur P Done.
Fla
[Host Desktop]# exit
2. Open a terminal, go to the Key Vault directory, start the Key Vault.
The vm-postinstall.cfg configuration file uses a backup of the Key Vault taken at the
end of the installation phase. This permits you to catch up without waiting for the entire
installation process.
[Host Desktop]$ cd /OVS/running_pool/okv/
[Host Desktop]$ sudo xm create okv
Domain-0 0 1024 2 r----- 328931.3
db1 1 3072 1 ------ 118172.3
okv 25 4096 1 ------ 4.3
[Host Desktop]$

Chapter 9 - Page 13
3. Verify the Key Vault is fully booted. Use the VNC viewer as described in task 3c to 3e of
Practice 9-2 to ensure the console menu is displayed as in task 14 of the previous practice.
After the menu is displayed, exit the VNC viewer without powering-off the machine by
closing the VNC window.
4. Open the Firefox web browser from your from the db1 machine.
[Host Desktop]$ ssh -X oracle@db1
[1] 25161
[oracle@db1 ~]$
5. Go to the URL https://okv.example.com.
a ble
f e r
a n s
t r
on- page
6. Because this uses a self-signed certificate, you will probably see an untrusted connection
page. Click Advanced to expand the information panel. (If the Installation n
Passphrase
is displayed, skip to Task 9.) s a
a
) h eฺ
m
co uid
i l ฺ
g ma ent G
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
t ens
hException e
p a
7. Click Add s l i c …
P ra
r
mu
Fla

Chapter 9 - Page 14
8. Verify the location is the Key Vault and click Confirm Security Exception.
a ble
f e r
ans
n - t r
o
9. an
The Initial Login page is displayed. Enter the passphrase My passcode is No 1., and
s
click Login.
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 9 - Page 15
10. To implement separation of duties for system administration, key administration, and audit
manager, enter three different sample users. In your production environment, you should
enter all values correctly, including Full Name and Email.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
c
Enter the following values on the Post-Install
t i S tud page, and then click Save.
a@ Configuration
Key Administrator a s h OKV_KEYS_KATE
t h is
Password f p r ap usStudent_1
e
a ( to Student_1
i c
Re-enter tPasswords e
p
Fulla sh licen
Name
P r a Kate Key Admin
u r Email .
l a m
F System Administrator OKV_SYS_SEAN
Password Student_1
Re-enter Password Student_1
Full Name Sean System Admin
Email
Audit Manager OKV_AUD_AUDREY
Password Student_1
Re-enter Password Student_1
Full Name Audrey Audit Mgr
Email
Recovery Passphrase Note your recovery passphrase; oracle_4U
Re-enter Password oracle_4U

Chapter 9 - Page 16
Root Password oracle_4U
Support User Password oracle_4U
Time Setup: 192.0.2.101

Server 1 Address (Test the server, note the time difference.)
DNS Setup: Server 1 192.0.2.101
You will be asked to change passwords at the first login. Using the following suggested
values allows you to change to the traditional passwords at that time.
For your convenience, the /home/oracle/labs/OKV/initconfig.txt file on host
db1 contains these values. You may be able to copy/paste from the file.
a ble
Best practice: In your production environment, use a strong passphrase and store it in a
f e r
safe location because this passphrase is used for the duration of the product life cycle.
ans
When you click Save, the Key Vault Login page appears. n - t r
o
11. Log in as OKV_SYS_SEAN.
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 9 - Page 17
12. You will be asked to change the password. Enter the current password, a new password,
confirm the new password, and click SAVE. (Remember that oracle_4U is still available if
you used the preceding recommendations.)
a ble
Be very careful when changing these passwords. Until you have added more
f e r
administrators, recovery from a lost password may require reinstall.
ans
13. Optionally, review the Home page and the Users page. If an alert is displayed on the home n - t r
o
an
page, scroll right to display the Click here for details link and view the details.
s
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
14. Click Logout (top-right) and proceed to test the next administrator.
15. On the Oracle Key Vault Login page, enter OKV_KEYS_KATE as User Name and your
initialized Password (Student_1), and then click Login.
a. On the Reset Password page, carefully update the password and click Save.
b. Optionally review the Keys and Wallets page (top menu), and then click Logout.
16. Repeat for OKV_AUD_AUDREY. On the Oracle Key Vault Login page, enter
OKV_AUD_AUDREY as User Name and your initialized Password (Student_1), and then
click Login.
a. On the Reset Password page, carefully update the password and click Save.
b. Optionally review the Reports page (top menu), and then click Logout.

Chapter 9 - Page 18
Practice 9-5: (Optional) Shutting down and Restarting the Key Vault
Overview
In this practice, you shut down the Oracle Key Vault that you installed and switch to a saved
version to ensure usernames and passwords are consistent for the following practices.
If you have created all users as described, and use the same passwords as described, you may
simply review the steps and continue to use your virtual machine.
Tasks
1. Shut down the machine from the console. If necessary, review Practice 9-2 Task 3 to
access a console using VNC.
a. Select Power Off and press Enter. Note that the console display is subtly different from
the console previously shown. The Change Installation Passphrase item is no
longer available. a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
b. Use the root a ( to
passphrase/password you created in Practice 9-3 Task 10 instead of the
t i
h cen
installation
c s
passphrase e to shut down the machine.
p a s li
r a
mur P
Fla
2. Verify the machine is shut down by using the sudo xm list command.

Chapter 9 - Page 19
3. Optional: If you skipped over Practice 9-2, or wish to use a configured image, install the
configured image needed for the next practice. Because this extracts a large file, it may
take several minutes.

0 - abort/exit
a ble
f e r
2 - ready for first boot
ans
3 - ready for post-install configuration
n - t r
4 - ready for Key Vault operations
a no
h a s
m) configuration
Enter your selection (0-4): 4
Confirm that you want to install the c o d e ฺ
i l ฺ final
u i image:
ma ent G
(y/n) y
Removing okv_disk1of1.img and g
a @ t u d
extracting final configuration
image
s h tic is S
Done.
a p a e th
fpr toVault
us
[Host Desktop]# exit
4. Open a terminal,ago( to the Key directory, and start the Key Vault.
t i c s e
p a sh Desktop]$
[Host
l i c en cd /OVS/running_pool/okv/
P ra [Host Desktop]$ sudo xm create okv
r
mu
Fla Started domain okv (id=25)

Domain-0 0 1024 2 r----- 328931.3
db1 1 3072 1 ------ 118172.3
okv 25 4096 1 ------ 4.3
[Host Desktop]$
5. Verify the Key Vault is fully booted. Use the VNC viewer as described in Task 3c to 3e of
Practice 9-2 to ensure the console menu is displayed as in Task 14 of the previous practice.
When the menu is displayed, exit the VNC viewer without powering-off the machine by
closing the VNC window.

Chapter 9 - Page 20
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 10:
o id
Workinga ilฺcwith
G uEndpoints and
m
g den
Wallets t
@ tu10
h t ica Chapter
s S
p a s
e t hi
( f pra to us
h t ica nse
p a s lice
ra
mur P
Fla
Practices for Lesson 10: Working with Endpoints and Wallets

Chapter 10 - Page 1
Practices Overview
In these practices, you enroll an Oracle Database 12c server as an Oracle Key Vault endpoint
and learn to use the Oracle Key Vault management console.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

Chapter 10 - Page 2
Practice 10-1: Enrolling Endpoints and Setting Up Encryption Videos
Overview
In this practice, you watch videos to demonstrate how to enroll endpoints, set up encryption and
use wallets. These videos demonstrate similar steps to the following practices, in case the
practice cannot be performed due to time or equipment limitations.
Tasks
$ cd Videos
2. Use the vlc program to watch the ovk_11enpoints.mp4 video, which demonstrates the
a ble
Practice 10-2 endpoint enrollment steps. The messages from vlc may be ignored.
f e r
ans
$ vlc okv_11endpoint.mp4
n - t r
3.
no
Use the vlc program to watch the ovk_encrypt.mp4 video, which demonstrates the
Practice 10-3 steps to set up for database encryption. a
h a s
$ vlc okv_encrypt.mp4
m ) eฺ
o uiddemonstrates the
a il c which
4. Use the vlc program to watch the ovk_wallet.mp4 ฺvideo,
Practice 10-4 steps to upload and download a wallet. G
g m ent
$ vlc okv_wallet.mp4
t i c a@ Stud
a s h this
f p r ap use
a ( to
i c
ht cens e
p a s li
r a
u rP
m
Fla

Chapter 10 - Page 3
Practice 10-2: Enrolling an Endpoint
Overview
In this practice, you enroll an Oracle Database server as an Oracle Key Vault endpoint. The
task steps are performed from the Oracle Key Vault management console, as well as the
command-line interface.
Assumptions
You have completed Practice 9 and have a database machine, db1, and a Key Vault machine,
okv, running.
You are logged in to your host machine as user oracle.
Tasks
a ble
f e r
1. Connect to the db1 VM by using X tunneling, open a web browser, and open the Oracle
ans
Key Vault management console.
n - t r
no
a. From the host desktop, start a new terminal session to the db1 host.
a
h a s
Last login: Tue Dec 20 07:52:06 2016ฺc o m)192.0.2.1
i d eฺ
ail t Gu
from
[oracle@db1 ~]$ m
g den
b. Start Firefox as your web browser.a@
h t ic is Stu
$ firefox &
p a s th
[1] 6129 a
pr to us e
[oracle@db1(f~]$
t a se
icURL
c. Enter h the n
https://okv.example.com to access the Oracle Key Vault management
a s
pconsole. li c e
r a
mur P
Fla

Chapter 10 - Page 4
2. To log in as the Oracle Key Vault system administrator, enter OKV_SYS_SEAN as User
Name, oracle_4U as Password, and click Login.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
r ap isuassystem
Note that endpoint registration
f p e administrator task. Also note the endpoint
( bottomtofo the page.
enrollment link at the
a
i
3. Click Endpoints.
h c
t ense
pa s lic
r a
u rP
m
Fla

Chapter 10 - Page 5
4. Click Add.
5. Enter and confirm the following values, and then click Register:
Endpoint Name CUSTOMER_DB
Type Oracle Database a ble
f e r
Platform Linux
ans
Description Customer Database orcl n - t r
o
Administrator Email s an
[email protected]
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
After successful registration, the endpoint appears with an enrollment token. In real world
deployments, the enrollment token is communicated by the system administrator in a
secure way to the endpoint administrator. This enrollment token is used for authentication
to download the endpoint software by the endpoint administrator.
Simulate this interaction by copying the enrollment token as the system administrator and
pasting it as the endpoint administrator.

Chapter 10 - Page 6
6. Select and copy your enrollment token value.
a ble
f e r
a n s
7. Open another browser tab and point to the same URL https://okv.example.com. n r
-Ast the
o
click the Endpoint Enrollment and Software Download link. s a n console),
endpoint administrator (without logging in to the Oracle Key Vault management
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr totoken
8. Paste or enter the enrollment
e
usand click Submit Token.
( f
h t ica nse
p a s lice
P ra
r
mu
Fla

Chapter 10 - Page 7
9. You should get the message “Valid Token.” Click the Enroll button.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
g den
10. When prompted, select Save File and click OK.
@
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P ra
u r
m
Fla

Chapter 10 - Page 8
11. Accept the defaults and click Save.
a ble
f e r
ans
n - t r
o
12. Close the Oracle Key Vault enrollment window.
s an
ha
13. Optionally return to the Oracle Key Vault management console and view the endpoints. If
)
necessary, log in again as OKV_SYS_SEAN.
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
Note the status has changed to Enrolled and the Enrollment Token is cleared.
14. Click Logout and close the browser.
15. Create a directory for the Oracle Key Vault client and install the Oracle Key Vault endpoint
software. The –d option specifies the location where the Oracle Key Vault endpoint
software will be installed. The endpoint administrator who is performing the endpoint
software installation must have read and write access to this location. In training, use the
auto-login wallet by pressing Enter when prompted.
a. Create the directory and move the client software into that directory.
$ mkdir /u01/app/oracle/okvutil/
$ mv okvclient.jar /u01/app/oracle/okvutil/

Chapter 10 - Page 9
b. Move to that directory and run the client installation.
$ cd /u01/app/oracle/okvutil/
$ java -jar okvclient.jar
Detected JAVA_HOME: /usr/java/jre1.8.0_101
Enter new Key Vault endpoint password (<enter> for auto-login):
Oracle Key Vault endpoint software installed successfully.

$
c. Observe the directories that have been created.
$ ls
bin conf jlib lib log okvclient.jar ssl
$
Note: The endpoint software keeps the credentials that are used to connect to the Oracle
a ble
Key Vault server in an Oracle wallet file. This wallet file requires a password to open or can
f e r
be set up as an auto-login wallet.
ans
In training, use the auto-login wallet. If you chose to use a password, note the password
n - t r
no
carefully because you must use this password whenever the endpoint software connects
a
with the Oracle Key Vault server.
h a s
) eฺ
16. When you see the success message, switch to the root OS user with the appropriate
m
o
ilฺc Guid
password.
$ su - a
m ent
g
Password:
t i c a@ Stud
#
a s h this
17. Execute the root.sh script
f p r apthe u s e database endpoint with Oracledirectory
in the /home/oracle/okvutil/bin to copy the
a ( withtoOracle Key Vault.

pkcs#11 library file, so that Oracle Advanced Security
s h tic ~]#
TDE can directly
e n scde /u01/app/oracle/okvutil/bin
connect
a a
[root@db1
p[root@db1 licbin]# ls
r
mur P okveps.x64 okveps.x86 okvutil root.sh
Fla [root@db1 bin]# ./root.sh
Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Setting PKCS library file permissions
Installation successful.
[root@db1 bin]#
18. Switch back to the oracle OS user. If you want to confirm your login, use the whoami
command.
]# exit
logout
$ whoami
oracle
$

Chapter 10 - Page 10
19. Execute the okvutil list command in the /home/oracle/okvutil/bin directory to
check whether the Oracle Key Vault endpoint software has been enrolled and provisioned
properly.
• If the endpoint software is able to successfully connect to the Oracle Key Vault server,
the “No objects found” message appears for a new installation.
• If you see the “Server connect failed” message or any other message, your endpoint
software installation has some potential issues that must be resolved before continuing
with this training.
$ cd /u01/app/oracle/okvutil/bin
$ ./okvutil list
No objects found
$
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla

Practice 10-3: Setting Up Encrypted Data in Oracle Databases
Overview
In this practice, you set up test users and data in two database instances and encrypt them with
Transparent Data Encryption (TDE) for subsequent practices.
Assumptions
The orcl database instance is running and the database has been enrolled with Oracle Key
Vault.
Tasks
1. If necessary, log in to the db1 VM and verify that the orcl database is running. Review
earlier practices if necessary to perform this task.
2. View the encryption parameters and confirm that transparent data encryption is enabled. a ble
f e r
$ . oraenv
ans
n - t r
a no
$ sqlplus /NOLOG
h a s
m ) eฺ
o uid Dec 20 09:25:49
a ilฺc onGTue
2016
g m ent
c @ tud
aOracle.
Copyright (c) 1982, 2014, t i
h this S All rights reserved.
a s
f p r aaspsysdba
u s e
SQL> connect
a ( /
to
i c
t ens
Connected.
hCOLUMN e
a
SQL>
p s l i c parameter FORMAT A30
ra
ur P
SQL> COLUMN value FORMAT A10
m SQL> SELECT parameter, value

Fla FROM v$option
WHERE parameter LIKE '%Encryption%';
2 3
PARAMETER VALUE
------------------------------ ----------
Transparent Data Encryption TRUE
Backup Encryption TRUE
SecureFiles Encryption TRUE
SQL>

3. Execute the okv_setup12.sql script to set up some administrators, a test user, and a
table with test data. In the following output, extra blank lines have been removed.
SQL> @/home/oracle/labs/OKV/okv_setup12.sql
Connected.
drop user infosec_isabel cascade
*
ERROR at line 1:
ORA-01918: user 'INFOSEC_ISABEL' does not exist
User created.
Grant succeeded.
Grant succeeded.
drop user dba_debra cascade
a ble
*
f e r
ERROR at line 1:
ans
ORA-01918: user 'DBA_DEBRA' does not exist
n - t r
o
User created.
s an
Grant succeeded.
) ha
Grant succeeded.
c o m ideฺ
Connected.
m ailฺ t Gu
g den
drop tablespace bankingCLEAR including contents and datafiles
@
*
h t ica is Stu
ERROR at line 1:
p a s th
a
pr to us e
ORA-00959: tablespace 'BANKINGCLEAR' does not exist
( f
ica nse
Tablespace created.
h t
DROP USER
s lice banking cascade
a p a *
r
ur P
ERROR at line 1:
m
Fla
ORA-01918: user 'BANKING' does not exist
User created.
Grant succeeded.
drop table banking.customers
*
ERROR at line 1:
Table created.
1 row created.
1 row created.
1 row created.
1 row created.
1 row created.
1 row created.
1 row created.

1 row created.
1 row created.
1 row created.
1 row created.
Commit complete.
System altered.
SQL>
4. Your output may look a little different depending on your environment. Confirm that you can
query the data that is to be encrypted, and then exit.
SQL> select ccn from banking.customers;
CCN
a ble
--------------------
f e r
5421-5424-1451-5340
ans
5325-8942-5653-0031
n - t r
o
4553-0984-2344-4101
s an
4489-4023-0489-0492
) ha
5193-0013-0002-2345
c o m ideฺ
4545-5702-4211-8889
m ailฺ t Gu
5900-4451-8812-7171
@ g den
4331-4921-5031-9871
h t ica is Stu
4442-1902-7477-3239
p a s th
a
pr to us
4921-1212-6612-0080 e
( f
ica nse
5890-1454-3554-9886
h t
s lice
11a rows selected.
p
ra
m ur P
Fla
SQL> exit
$
5. If you completed Lesson 7, the wallet should exist. If it does not exist, create a directory for
the Oracle wallet.
$ ls /u01/app/oracle/admin/orcl/wallet
ls: cannot access /u01/app/oracle/admin/orcl/wallet: No such
file or directory
$ mkdir /u01/app/oracle/admin/orcl/wallet
$
6. Confirm that the sqlnet.ora file contains a path that points to the wallet directory. If it
does not, add it at the end of the file.
$ grep ENCRYPTION_WALLET_LOCATION
$ORACLE_HOME/network/admin/sqlnet.ora
$
$ cat <<EOF >> $ORACLE_HOME/network/admin/sqlnet.ora

ENCRYPTION_WALLET_LOCATION=
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/orcl/wallet)))
EOF
$ tail $ORACLE_HOME/network/admin/sqlnet.ora
#
a ble
f e r
(SOURCE =
ans
(METHOD = FILE) n - t r
(METHOD_DATA =
a no
h a s
m ) eฺ
o
$
a ilฺc Guid
Note: The path points to the directory for theg m wallet.
local e n t
c
7. If it does not exist, create an Oracle iwallet.
t tud 7, Task 1 as your guide.) Open the
a@(UseSLesson
wallet.
a s h this
a. Use the following tora p theswallet
create e if the ls command does not display
ewallet.p12.( f p to u
i c
t ens a e
$ ls h$ORACLE_BASE/admin/orcl/wallet
a s
p$ sqlplus / lasicsyskm
r a
mur P
Fla
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics and Real
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE

'/u01/app/oracle/admin/orcl/wallet'
2 3
keystore altered.
SQL> EXIT
$ ls $ORACLE_BASE/admin/orcl/wallet
ewallet.p12

b. Ensure the wallet is open. If it is not open, as shown with the first SELECT, use the
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN statement to open the
wallet.

2016
Connected to:
a ble
64bit Production
f e r
ans
Application Testing options n - t r
a no
SQL> SELECT WRL_PARAMETER, STATUS, WRL_TYPE FROM
h a s
V$ENCRYPTION_WALLET;
m ) eฺ
o
a ilฺc Guid
WRL_PARAMETER
g m ent
t i c a@ Stud
----------------------------------------------------------------
--
a s h this
STATUS
r a p se WRL_TYPE
a (fp to u
------------------------------ --------------------
s h tic ense
/u01/app/oracle/admin/orcl/wallet/
apa lic
CLOSED FILE
r
m ur P SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
Fla IDENTIFIED BY secret;
2
keystore altered.
SQL> SELECT WRL_PARAMETER, STATUS, WRL_TYPE FROM

V$ENCRYPTION_WALLET;
WRL_PARAMETER
----------------------------------------------------------------
--
STATUS WRL_TYPE
------------------------------ --------------------
/u01/app/oracle/admin/orcl/wallet/
OPEN FILE

SQL>
8. As user DBA_DEBRA, encrypt the CCN column.
SQL> CONNECT dba_debra
Enter password:
Connected.
SQL> ALTER TABLE banking.customers MODIFY (ccn ENCRYPT);
Table altered.
9. Confirm the data is still displayed correctly.
SQL> SELECT * from banking.customers;
a ble
f e r
FIRST_NAME LAST_NAME CCN
ans
-------------------- --------------------
t r
--------------------
n -
o
an
Mike Anderson 5421-5424-1451-5340
Jon Hewell
ha s 5325-8942-5653-0031
Andrew Forsyth )
m ideฺ
4553-0984-2344-4101
c o
ailฺ t Gu
Ellen Kane 4489-4023-0489-0492
Randall
m Summers
g den
5193-0013-0002-2345
Julia @ Cortez 4545-5702-4211-8889
Melissa
h t ica is Stu
Hiam 5900-4451-8812-7171
Elise
p a s th Fenters 4331-4921-5031-9871
a
pr to us e
Paul
( f Watts 4442-1902-7477-3239
Jim
h t ica nse Johnson 4921-1212-6612-0080
p a s lice
Scott Manning 5890-1454-3554-9886
ra
m ur P 11 rows selected.
Fla SQL>

10. As the DBA_DEBRA user, encrypt a tablespace with TDE.
SQL> DROP TABLESPACE bankingENC INCLUDING CONTENTS AND
DATAFILES;
DROP TABLESPACE bankingENC INCLUDING CONTENTS AND DATAFILES
*
ERROR at line 1:
ORA-00959: tablespace 'BANKINGENC' does not exist
SQL> CREATE TABLESPACE bankingENC

DATAFILE '/u01/app/oracle/oradata/orcl/bankingENC.dbf'
SIZE 1M
ENCRYPTION USING 'AES256'
a ble
DEFAULT STORAGE(ENCRYPT);
f e r
2 3 4 5
ans
Tablespace created.
n - t r
a no
SQL>
h a s
11. Create a test table in the encrypted tablespace. m ) eฺ
o uid constraints;
SQL> DROP TABLE banking.customersENCa ilฺc cascade
G
DROP TABLE banking.customersENC g m cascade
e n t constraints
* ica
@ tud
ERROR at line 1: ash
t i s S
por view e t h
r a s
(fp to u
ORA-00942: table does not exist
a
tic ense
s h
a CREATE
r a pSQL> lic TABLE banking.customersENC tablespace bankingENC as
u r P select * from banking.customers;
m
Fla Table created.
SQL>

12. Confirm that you can read the data. Then exit.
SQL> select * from banking.customersENC;

-------------------- -------------------- --------------------
Mike Anderson 5421-5424-1451-5340

Jon Hewell 5325-8942-5653-0031
Andrew Forsyth 4553-0984-2344-4101
Ellen Kane 4489-4023-0489-0492
Randall Summers 5193-0013-0002-2345
Julia Cortez 4545-5702-4211-8889
Melissa Hiam 5900-4451-8812-7171
a ble
Elise Fenters 4331-4921-5031-9871
f e r
Paul Watts 4442-1902-7477-3239
ans
Jim Johnson n - t r
4921-1212-6612-0080
Scott Manning a no 5890-1454-3554-9886
h a s
m ) eฺ
11 rows selected.
o
a ilฺc Guid
SQL> exit g m ent
d Enterprise Edition
a@ Stu12c
Disconnected from OraclecDatabase
t i
h this
Release
a s
p sOLAP,
u e
pra to options
With the Partitioning, Advanced Analytics and Real
Application(fTesting
$
h t ica nse
p a s lice
ra
mur P
Fla

Practice 10-4: Uploading and Downloading Wallets with Oracle Key
Vault
Overview
In this practice, you upload an existing Oracle wallet from the Oracle Database endpoint to
Oracle Key Vault for long-term retention. Then you download the wallet and demonstrate that
you can query encrypted data by using the downloaded wallet.
Assumptions
You successfully completed the previous practice.
Tasks
1. Connected to the db1 VM and open the Oracle Key Vault management console in your
a ble
web browser. Log in as the OKV_KEYS_KATE key administrator.
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a sto Keyslic&eWallets and click the Create button.
ra
2. Navigate
P
u r
m
Fla

3. Enter CUSTOMER_DB_WALLET as Name, Customer Database Wallet as Description,
and then click Save.
a ble
f e r
ans
n - t r
4. When the CUSTOMER_DB_WALLET wallet appears on the page (which means that it has o
been created), click the Details pencil icon.
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t icaWalletnsAccess
e Settings section.
pa s
5. Click Add in the
lic e
r a
mur P
Fla

6. Select Type Endpoints, select Endpoint CUSTOMER_DB, select Access Level Read and
Modify and select Manage Wallet. Then click SAVE.
a ble
f e r
ans
n - t r
a no
has wallet in Oracle Key
7. Note the changed Access. Because you are viewing a newly )created
o msection.
Vault, it displays No Members found in the Wallet Contents
d e ฺ Save again.
Click
c i
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P ra
u r
m
Fla
8. Minimize the Oracle Key Vault management console and open a new terminal window on
the db1 VM. (As always, set the environment variables to the orcl instance.)
$ ssh oracle@db1

[oracle@db1 ~]$
9. Upload the contents of the ewallet.p12 wallet file in the directory to Oracle Key Vault
with the okvutil upload command.
a. Ensure that the listener is up. If not, start it with: lsnrctl start. IF you need to start
the listener, wait until the database registers or use the ALTER SYSTEM REGISTER
command to register the database with the listener manually.
$ lsnrctl status
LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 20-DEC-

2016 11:20:23
a ble
f e r
ans
n - t r
o
an
Connecting to
1521))) ha s
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db1.example.com)(PORT=
)
m ideฺ
STATUS of the LISTENER
c o
------------------------
m ailฺ t Gu
Alias LISTENER
@ g den
Version
t ica is Stu
TNSLSNR for Linux: Version 12.1.0.2.0
h
- Production
p a s th
Start Date a
pr to us e
20-DEC-2016 11:19:27
( f
ica nse
Uptime 0 days 0 hr. 0 min. 56 sec
h t
s lice
Trace Level off
a p a
Security ON: Local OS Authentication
r
mur P SNMP OFF
Fla
Listener Parameter File
/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.o
ra
Listener Log File
/u01/app/oracle/diag/tnslsnr/db1/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=db1.example.com)(PORT=
1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Services Summary...
Service "orcl.example.com" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this
service...
Service "orclXDB.example.com" has 1 instance(s).

service...
The command completed successfully
[oracle@db1 ~]$
10. Navigate to your okvutil/bin directory
$ cd /u01/app/oracle/okvutil/bin
$
11. Start the upload and provide the password of the wallet; secret, in this example.
$ ./okvutil upload -t WALLET -l
/u01/app/oracle/admin/orcl/wallet -g CUSTOMER_DB_WALLET
Enter source wallet password:
Upload succeeded
a ble
$
f e r
If you receive an error, review the spelling of the wallet name that you created in the Key ans
Vault console. n - t r
o
an
12. Return to the Oracle Key Vault management console in your browser. On the Wallets page,
s
Contents section. ) ha
click the CUSTOMER_DB_WALLET link and notice that entries appear in the Wallet
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

13. Download the wallet from Oracle Key Vault. If a wallet file exists in the same directory
location as specified with the -l option, the existing wallet file is automatically backed up.
When prompted, provide a new wallet password. This example uses welcome1.
$ ./okvutil download -t WALLET -l
/u01/app/oracle/admin/orcl/wallet -g CUSTOMER_DB_WALLET
Enter new wallet password (<enter> for auto-login):
Confirm new wallet password:

Download succeeded
$
14. Optionally, list the wallet directory to view the backup.
total 32
a ble
f e r
ewallet_2016121412180617_for_12c.p12
ans
n - t r
ewallet_2016121412201448.p12
-rw-r--r--. 1 oracle oinstall 6048 Dec 14 a no 07:20
ewallet_2016121412204022.p12 h a s
m )11:48eewallet.p12
ฺ
-rw-r-----. 1 oracle oinstall 6048 Dec 20
c o i d
-rw-r-----. 1 oracle oinstall 6048 Dec 20
m ailฺ t G11:48u
ewallet.p12.1482252488.bak
@ g den
$
h t i ca s Stu
15. Log in to SQL*Plus as SYSDBA.sClose the
a t i wallet and open the new one.
hold
$ sqlplus / asra
p e
( f p sysdba
t o us
h t icaRelease
n se 12.1.0.2.0 Production on Tue Dec 20 11:50:26
a s
SQL*Plus:
p2016 lic e
r a
mur P
Fla
Connected to:
64bit Production
.
SQL> alter system set encryption wallet close identified by
"secret";
System altered.
SQL> alter system set encryption wallet open identified by

"welcome1";

System altered.
SQL>
16. Query both test tables to confirm that the data is readable, and then exit.
SQL> SELECT * from banking.customers;

-------------------- -------------------- --------------------
Mike Anderson 5421-5424-1451-5340
Jon Hewell 5325-8942-5653-0031
Andrew Forsyth 4553-0984-2344-4101
a ble
Ellen Kane 4489-4023-0489-0492
f e r
ans
Julia Cortez n - t r
4545-5702-4211-8889
o
Melissa Hiam
s an 5900-4451-8812-7171
Elise Fenters
) ha 4331-4921-5031-9871
Paul Watts
c o m ideฺ 4442-1902-7477-3239
Jim ailฺ t Gu
Johnson
m
4921-1212-6612-0080
Scott
@ g den
Manning 5890-1454-3554-9886
h t i ca s Stu
11 rows selected. s
p a e t hi
( f p ra us
SQL> SELECT a * fromtobanking.customersenc;
h i c
t ense
a s lic
rapFIRST_NAME LAST_NAME CCN
mur P -------------------- -------------------- --------------------
Fla
Mike Anderson 5421-5424-1451-5340
Jon Hewell 5325-8942-5653-0031
Andrew Forsyth 4553-0984-2344-4101
Ellen Kane 4489-4023-0489-0492
Julia Cortez 4545-5702-4211-8889
Melissa Hiam 5900-4451-8812-7171
Elise Fenters 4331-4921-5031-9871
Paul Watts 4442-1902-7477-3239
Jim Johnson 4921-1212-6612-0080
Scott Manning 5890-1454-3554-9886
11 rows selected.
SQL> exit

12.1.0.2.0 - 64 bit Production
$
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

a ble
f e r
ans
n - t r
a no
h a s
e ฺ 11:
Using
o
lฺc GTDE uid with Oracle
a iDirect
g m ent
Database
t i c a@ Stud
a s h thChapter
is 11
f p r ap use
a ( to
i c
ht cens e
a s li
rap
mur P
Fla
Practices for Lesson 11: Using Direct TDE with Oracle Database
Chapter 11 - Page 1
Practices Overview
In these practices, you use the Online Master Key with Oracle Key Vault and perform a number
of different tasks, switching between the system, endpoint, and key administrator roles.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
Chapter 11 - Page 2
Practice 11-1: TDE Direct Video
Overview
In this practice, you watch videos to demonstrate how to configure Oracle Key Vault to interact
with a database. The video demonstrates similar steps to the following practices, in case the
practice cannot be performed due to time or equipment limitations.
Tasks
$ cd Videos
2. Use the vlc program to watch the ovk_tde.mp4 video, which demonstrates the Practice
a ble
11-2 steps for using TDE master keys. The messages from vlc may be ignored.
f e r
ans
$ vlc okv_tde.mp4
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
Chapter 11 - Page 3
Practice 11-2: Using the Online Master Key with Oracle Key Vault
Overview
In this practice, you perform a number of different tasks, switching between the system,
endpoint, and key administrator roles.
• As key administrator, create a virtual wallet.

• Upload the existing Oracle wallet to retain all historical TDE master keys.
• Migrate the TDE master key from the wallet to Oracle Key Vault.
• Rotate the TDE master key.
Note: As of Oracle Key Vault 12.2, the term Online Master Key replaces the term TDE Direct
Connection.
Assumptions
a ble
The Practice 10 has been completed successfully. The db1 and okv VMs are running. The f e r
ans
orcl database on db1 and the listener on db1 are up.
n - t r
Tasks a no
h
1. From the desktop, start a terminal session on the db1 VM and pointa sto the orcl database
instance. m ) eฺ
o
$ ssh -X -l oracle db1 a ilฺc Guid
oracle@db1's password: g m ent
Last login: Tue Dec 20 11:19:00
t i c a@ S2016 tud from 192.0.2.1
$ . oraenv
a s h this
p
ORACLE_SID = [oracle]
f r ap u?seorcl
The Oracle a (base hasto been set to /u01/app/oracle
h i c
t ense
$
s
pa that thelilistener
c is up. If not, start it with the lsnrctl start command.
r a
2. Confirm
u r P $ lsnrctl status
m
Fla LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 21-DEC-
2016 04:18:46
Connecting to
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db1.example.com)(PORT=
1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 12.1.0.2.0
- Production
Start Date 20-DEC-2016 11:19:27
Chapter 11 - Page 4
Uptime 0 days 16 hr. 59 min. 19 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File
/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.o
ra
Listener Log File
/u01/app/oracle/diag/tnslsnr/db1/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=db1.example.com)(PORT=
1521)))
a ble
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
f e r
Services Summary...
ans
n - t r
a no
service...
h a s
m ) eฺ
o
ilฺc Guid
a
service...
g m ent
The command completed successfully
t i c a@ Stud
$
a h this
sVault,
3. Before migrating to Oracle p Key close the wallet in SQL*Plus by using your password.
r a s e
p to u the password to welcome1.)
(Remember in Practice
( f 10 you changed
t
$ sqlplus
h ica/ as n e
ssyskm
a s
pSQL*Plus: e
licRelease 12.1.0.2.0 Production on Wed Dec 21 04:52:46
r a
mur P 2016
Fla Copyright (c) 1982, 2014, Oracle. All rights reserved.
Connected to:
64bit Production
SQL> administer key management set keystore close identified by

"welcome1";
keystore altered.
SQL>
4. Note the wallet information
Chapter 11 - Page 5
SQL> select wrl_type, status from v$encryption_wallet;
WRL_TYPE STATUS
-------------------- ------------------------------
FILE CLOSED
SQL>
5. Exit SQL*Plus and modify the sqlnet.ora file to change METHOD=FILE to METHOD=HSM.
Choose vi or other available editors. Note that opening a shell using the exclamation mark
(!) is insufficient.
SQL> exit
$ cd $ORACLE_HOME/network/admin
a ble
$ vi sqlnet.ora
f e r
Adjust the relevant area of the sqlnet.ora file to comment out
ans
ENCRYPTION_WALLET_LOCATION for METHOD = FILE and create an entry with METHOD
n - t r
= HSM, similar to the following.
a no
h a s
# m ) eฺ
o
#ENCRYPTION_WALLET_LOCATION=
a ilฺc Guid
# (SOURCE = g m ent
# (METHOD = FILE)
t i c a@ Stud
(METHOD_DATA = sh is
#
a t h
# (DIRECTORY
f p r a=p/u01/app/oracle/admin/orcl/wallet)))
u s e
a ( to
i c
ht cens e
a s
rap(SOURCE li=
mur P (METHOD = HSM)
Fla
(METHOD_DATA =
6. Oracle Key Vault 12 looks for configuration information in the $ORACLE_BASE/okv/orcl
directory. In preparation for the migration, create the directory and copy the configuration
file.
$ mkdir –p $ORACLE_BASE/okv/orcl
$ cp $ORACLE_BASE/okvutil/conf/*.ora $ORACLE_BASE/okv/orcl
7. Open a new SQL*Plus session and confirm that you have two wallet types: FILE and HSM,
both in a CLOSED state.

2016
Chapter 11 - Page 6
Connected to:
64bit Production

WRL_TYPE STATUS
-------------------- ------------------------------
FILE CLOSED
a ble
f e r
HSM CLOSED
ans
n - t r
SQL>
a no
has wallet during the
8. Use the migration command to move the TDE master key from the wallet file to Oracle Key
Vault, of course, with your passwords. Because you used the )auto-login
endpoint software installation, the password in this example o mis “null.”
d e ฺ
However, if you used
l ฺ c u i
ai t G
an endpoint password, that password needs to be entered.
SQL> administer key managementgm e n
set encryption key identified by
@ d
tu backup;
"null" migrate using "welcome1"
h t ica is Swith
p a s th
keystore altered. a
pr to us e
( f
SQL> hexitt ica nse
$a
p s lice
P ra
r
9. Optionally, list the wallet directory to view the automatically created backup file. The sample
mu output has been trimmed to remove rows, and will have different date and time stamps than
Fla on your system.
total 12
…
-rw-r-----. 1 oracle oinstall 6048 Dec 21 06:18
ewallet_2016122111181704.p12
-rw-r-----. 1 oracle oinstall 6048 Dec 21 06:18 ewallet.p12$
10. Invoke the Firefox browser and enter the https://okv.example.com URL.
Chapter 11 - Page 7
11. Log in to the Oracle Key Vault management console as the OKV_KEYS_KATE key
administrator.
12. Logged in to the Oracle Key Vault management console as the OKV_KEYS_KATE key
administrator, view the TDE items under All Items.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
a s h this
f p r ap use
(
amonths topassed and as the endpoint administrator, you have the task
13. Assume thattsix i c e
ns key. Because you used the auto-login wallet during the endpoint
hthe TDEcemaster have
a s
of rotating
li the password in this example is “null.” However, if you used an
p installation,
r a
software
mur Pendpoint password, that password needs to be entered.

Fla $ sqlplus / as sysdba
SQL> administer key management set encryption key identified by

"null";
keystore altered.
SQL> exit
$
14. Exit all windows.
Chapter 11 - Page 8
a ble
f e r
ans
n - t r
a no
h a s
e ฺ 12:
o uid Key Vault
Performing
a ilฺc G Oracle
g m ent
Administrative Tasks
a @ t u d
s h tic Chapter
i s S 12
a
p se t h
r a
a (fp to u
s h tic ense
rapa lic
mur P
Fla
Practices for Lesson 12: Performing Oracle Key Vault Administrative Tasks
Chapter 12 - Page 1
Practices Overview
In these practices, you will perform audits, archive and delete audit trail records, and configure
and perform backups.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
Chapter 12 - Page 2
Practice 12-1: Key Vault Administration Videos
Overview
In this practice, you watch videos to demonstrate how to perform basic Key Vault system
administration sch as auditing and backups. These videos demonstrate similar steps to the
following practices, in case the practice cannot be performed due to time or equipment
limitations.
Tasks
$ cd Videos
a ble
2. Use the vlc program to watch the ovk_sysadmin.mp4 video, which demonstrates system
f e r
administration tasks such as setting system and logging. The messages from vlc may be
ans
ignored.
n - t r
$ vlc okv_sysadmin.mp4
a no
a s
3. Use the vlc program to watch the ovk_audit.mp4 video, which demonstrates
h the Practice
12-2 steps to set up for database encryption. )
m ideฺ
c o
$ vlc okv_audit.mp4
m ailฺ t Gu
4. Use the vlc program to watch the ovk_backup.mp4
@ g dvideo,e n which demonstrates the
Practice 12-3 steps to perform backups
t i S tu
caandsrecovery.
$ vlc okv_backup.mp4s
a h t hi
p e
( f pra to us
h t ica nse
p a s lice
P ra
r
mu
Fla
Chapter 12 - Page 3
Practice 12-2: Using and Managing the Audit Trail
Overview
In this practice, you log on to the Oracle Key Vault management console as an administrator
with audit privileges, OKV_AUD_AUDREY, and review and manage the audit trail.
Assumptions
You have completed Practice 11. Your db1 and okv machines are up and running. The orcl
database is running, as is the listener on db1.
Tasks
1. Login to the db1 machine as user oracle with X tunnel capability, set your environment to
orcl, and ensure that your database and listener are up.
a ble
$ ssh -X -l oracle db1
f e r
ans
Last login: Wed Dec 21 05:05:01 2016 from 192.0.2.1 n - t r
o
$ . oraenv
s an
) ha
o m ideฺ
c
$ lsnrctl status | grep orcl
m ailฺ t Gu
g den
@
h t ica is Stu
service...
p a s th
a
pr to us e
( f
t ica nse
service...
h
p$a s lice
P
2.Start
a
r your browser to log in to the Oracle Key Vault.
u r
m
Fla
$ firefox https://okv.example.com &
$
3. Access the Oracle Key Vault management console as user OKV_AUD_AUDREY.
Chapter 12 - Page 4
4. Select Reports and click on Audit Trail.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
5. Use some filters to narrow the scope of the trail. ailฺ u
a. Click on Time and select Last Hour. g m n t G
@ d e
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P ra
u r
m
Fla
Chapter 12 - Page 5
b. Notice that the filter is displayed and a subset of the data is displayed. Check your list
to ensure the time is within the last hour, based on the time zone of the VMs.
c. Optionally scroll through the filtered list and note the various operations that have been
recorded. Add a filter based on Operation and view the changes in the list. In this
example, the Operation ‘Get Attributes’ filter was selected. a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h
Clickingt icathe Object
on n seidentifier provides detailed information.
s e
r apa lic
mur P
Fla
Chapter 12 - Page 6
6. To manage the amount of information in the audit trail, export and delete rows.
a. Click Export/Delete.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g Export.
b. The current date should be displayed. Click
d e n
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p as the date,
Toachange l iceuse the calendar icon next to the displayed date.
P r
u r c. Select Open with gedit and click OK.
m
Fla
In a production environment, an archive strategy should be developed. Note the data format
used in the export.
d. Close the editor.
Chapter 12 - Page 7
e. Click Delete. On the pop-up dialog box, click OK.
Note that there is one record remaining. Investigate and discuss this.
f. Log out of the console.
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
r a
mur P
Fla
Chapter 12 - Page 8
Practice 12-3: Backing Up the Key Vault
Overview
In this practice, you will take a backup of the Oracle Key Vault.
Tasks
1. As user oracle on machine db1, create directory okvbackup.

[oracle@db1 ~]$ whoami
oracle
[oracle@db1 ~]$ pwd
/home/oracle
[oracle@db1 ~]$ mkdir okvbackup
[oracle@db1 ~]$ ls -ld okvbackup/
a ble
f e r
drwxr-xr-x. 2 oracle oinstall 4096 Dec 21 08:39 okvbackup/
ans
[oracle@db1 ~]$
n - t r
o
2.
an
Because backup and restore operations are system administrator functionalities, log in to
the Oracle Key Vault management console as OKV_SYS_SEAN. s
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla
3. Create a new backup destination. Select the System tab.

a. Note the Status page. Optionally review the various setting pages.
Chapter 12 - Page 9
b. Select the System Backup page and click Manage Backup Destinations.
c. Click Create.
a ble
f e r
ans
n - t r
a no
h a s
m ) eฺ
o
a ilฺc Guid
Note the mandatory LOCAL backup destination.
g m ent
d. Create the backup destination based
t i c a@ S tud in this table and click Save.
on the values
Field
a s hValue this
Destination Name
f p r ap uDaily s eBackup
Hostname ica
( to db1.example.com
ht cens e
Portpas li 22
r a
PDestination Path
u r /home/oracle/okvbackup
l a m Username oracle
F
select Password Authentication
Password oracle
Confirm Password oracle
a ble
f e r
ans
e. Click Done. n - t r
o
4. Perform the Backup.
s an
a. On the System Backup page, click Backup.
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P r a
r
u b.
m Enter a name for the backup, ensure that Destination is the one you just created,
Fla select Type ONE-TIME, click Now to clear the Start Time, and click Schedule.
c. The System Backup page is displayed. Browse some of the other pages for a few
minutes, periodically returning to the System Backup page. After several minutes, the
Status should show DONE and some timing information should be available. In the
example, the backup took about seven minutes.
a ble
f e r
ans
n - t r
5. Restore the backup. a no
a. On the System Backup page, click Restore. h a s
m ) eฺ
o
a ilฺc Guid
g m ent
t i c a@ Stud
b. Select the Daily Backup source,
a h wait
screated. t h ifors the list of available backups to be loaded, and
select the backup you p just
f p r a use
a ( to
i c
ht cens e
p a s li
r a
mur P
Fla
c. Enter the Recovery Passphrase oracle_4U that was set in the post-installation
configuration. Depending on available time, you may choose to Cancel or to Restore.
If you click Restore, the Oracle Key Vault will locate the backup, restore it, and reboot.
This process can take 10 minutes in your environment. If you then log in as System
Administrator and return to the Restore page, you will see the Last Restore Details as
follows:
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ close
6. Log out of Oracle Key Vault management console and
t Gtheubrowser.
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
P ra
u r
m
Fla
Practice 12-4: Cleaning Up
Overview
In this practice, you remove the Oracle Key Vault and start the Oracle Enterprise Manager.
Assumptions
Tasks
1. Restore sqlnet.ora
a ble
[oracle@db1 ~]$ sqlplus / as syskm
f e r
a n s
n -t r
SQL*Plus: Release 12.1.0.2.0 Production on Wed Dec
o
21 09:54:43
n
2016
s a
a
) h reserved.
Copyright (c) 1982, 2014, Oracle. All rights
o m d e ฺ
c i
m ailฺ t Gu
@ g den
Connected to:
h t i ca s Stu
Oracle Database 12c s
p a Enterprise
e t hi Edition Release 12.1.0.2.0 -
pra to usOLAP, Advanced Analytics and Real

64bit Production
( f
t ica Testing
Application
h n se options
s e
rapa lic
ur P
m
Fla WRL_TYPE STATUS
-------------------- ------------------------------
FILE CLOSED
HSM OPEN
SQL> administer key management set keystore close identified by

"NULL";
keystore altered.
WRL_TYPE STATUS
-------------------- ------------------------------
FILE CLOSED
HSM CLOSED
SQL> exit

$ vi $ORACLE_HOME/network/admin/sqlnet.ora
(SOURCE =
(METHOD = FILE)
a ble
f e r
(METHOD_DATA =
ans
n - t r
a no
h a s
#ENCRYPTION_WALLET_LOCATION=
m ) eฺ
o
ilฺc Guid
# (SOURCE =
# (METHOD = HSM) a
m ent
g
# (METHOD_DATA =
t i c a@ Stud
#
h this
a s
ap use
#
f p r
( ~]$ sqlplus
i c a e to / as sysdba
ht cens
[oracle@db1
a s
rapSQL*Plus:li Release 12.1.0.2.0 Production on Wed Dec 21 10:06:45
ur P 2016
F lam
Connected to:
64bit Production
SQL> administer key management set keystore open identified by

"welcome1";
keystore altered.
SQL> wrl_type, status from v$encryption_wallet;
SP2-0734: unknown command beginning "wrl_type, ..." - rest of
line ignored.
WRL_TYPE STATUS
-------------------- ------------------------------
FILE OPEN
2. Remove the users.
SQL> drop user banking cascade;
User dropped.
a ble
f e r
SQL> drop user dba_debra cascade;
ans
n - t r
User dropped.
a no
3. Drop the encrypted tablespace. h a s
m ) eฺ
o
ilฺc Guid
Connected. a t
m encontents;
SQL> drop tablespace ENCTBS includingg
t i c a@ Stud
Tablespace dropped. a s h this
f p r ap use
(
SQL> dropatablespace to BANKINGCLEAR including contents;
i c
ht cens e
a s
pTablespaceli dropped.
r a
u rP
m
Fla SQL> drop tablespace BANKINGENC including contents;
Tablespace dropped.
SQL>
4. Stop Key Vault and Start EM13.
logout
[Host Desktop]$ sudo xm shutdown -w okv
Domain okv terminated
All domains terminated
[Host Desktop]$ sudo xm create em13
Using config file "/etc/xen/em13".
Started domain em13 (id=36)
Name ID Mem VCPUs
State Time(s)
Domain-0 0 1024 2
r----- 384296.5
db1 32 3072 1 -
b---- 13119.8
em13 36 9216 1 -
----- 5.2
[Host Desktop]$
5. Check the disk space on the host. Hosts with 500GB disks may experience problems with
the remaining practices due to low disk space. Remove the Oracle Key Vault virtual
machine directory if less than 20GB remains.
a ble
$ df -h
f e r
Filesystem Size Used Avail Use% Mounted on
ans
/dev/sda2 499G 484G 15G 97% / n - t r
/dev/sda1 190M
a no
28M 153M 16% /boot
tmpfs 464M
h a s
0 464M 0% /dev/shm
none 464M m ) eฺ
152K 463M 1% /var/lib/xenstored
o
$ ./clean_okv.sh
a ilฺc Guid
Root filesystem usage: g m ent
Filesystem Size
t i c ud Use% Mounted on
a@UsedStAvail
/dev/sda2 s
499G
a h th484G is 15G 97% /
f p r ap use
If you are (low on tspace,
o
i c a e
and have completed lesson 12,
a s ht remove
you may
c e nsthe /OVS/running_pol/okv directory.
rap li
ur P
Remove /OVS/running_pool/okv to restore space? (y/n) y
m
Fla
$
a ble
f e r
ans
n - t r
o
s an
) ha
c o m ideฺ
m ailฺ t Gu
@ g den
h t ica is Stu
p a s th
a
pr to us e
( f
h t ica nse
p a s lice
ra
mur P
Fla

D90836GC10 Ag1 PDF

Uploaded by

Copyright:

Available Formats

D90836GC10 Ag1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D90836GC10 Ag1 PDF

Uploaded by

Copyright:

Available Formats

What are the main topics covered in the document?

What are the main topics covered in the document?

What are the steps to create a security officer account?

What are the steps to create a security officer account?

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2018, Oracle and/or its affiliatesฺ

Activity Guide – Volume I

Learn more from Oracle University at education.oracle.com

Hans Forbrich Disclaimer

This document contains proprietary information and is protected by copyright and

Course Practice Environment Security Credentials

Practices for Lesson 1: Overview............................................................................................................. 1-2

P ra 4-3: Granting SYSBACKUP Administrative Privilege ................................................................... 4-20

m Practice 4-4: Implementing a Secure Application Role.............................................................................. 4-25

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security: Preventive Controls Table of Contents

Practice 9-1: Introduction......................................................................................................................... 9-3

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security: Preventive Controls Table of Contents

Practice 18-4: Cleaning Up Redaction Policies ......................................................................................... 18-23

u P 23-1: Using Realms to Protect a Schema ................................................................................... 23-3

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security: Preventive Controls Table of Contents

Practice 28-1: Familiarization with Dictionary Views ................................................................................. 28-3

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security: Preventive Controls Table of Contents

For OS usernames and passwords, see the following:

producer for OS credential information.

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Course Practice Environment: Security Credentials

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Course Practice Environment: Security Credentials

Oracle Enterprise Manager

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Course Practice Environment: Security Credentials

Oracle Database Vault (dvcdb)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Course Practice Environment: Security Credentials

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Environment Familiarization

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Environment Familiarization

Practices for Lesson 1: Environment Familiarization

$ sudo xm create /OVS/running_pool/cl1/vm.cfg

The system is going down for power off NOW!

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Environment Familiarization

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Implementing Basic and Strong Authentication

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Implementing Basic and Strong Authentication

in the orcl database.

Practices for Lesson 2: Implementing Basic and Strong Authentication

Copyright (c) 1982, 2013, Oracle. All rights reserved.

Practices for Lesson 2: Implementing Basic and Strong Authentication

a@ LabeltudSecurity, OLAP, Advanced

SQL> ALTER USER BI PASSWORD EXPIRE ACCOUNT LOCK;

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Implementing Basic and Strong Authentication

SQL> ALTER USER IX PASSWORD EXPIRE ACCOUNT LOCK;