Oracle 11.2.0.4.0 enterprise.
We are hosting multiple customers data in single schema, a new customer wants his data to be secure with his unique encryption key.
Using Transparent Data Encryption (TDE), can we somehow create multiple master encryption keys within single schema?
We can upgrade to Oracle 11.2 for that as well if any workaround available.
Lastly if no such thing possible as 'multiple master encryption keys within single schema' then what other approach suits best for us, should we create separate database in same instance or should we commission separate vm-machine for this new customer.
Wishes
Related
My requirement is to do column level encryption.
Tried below option
TDE - data is not encrypted to one who has access to database. Please correct me if I'm wrong.
DBMS_CRYPTO package, this works but client wants to store encryption key outside Oracle database.
I'm not able to find solution for storing key outside database.
Any help on this is highly appreciated.
Perhaps two different things here.
To do TDE at column level already uses an external key store, namely a wallet. The location is specified by ENCRYPTION_WALLET_LOCATION in your sqlnet.ora file, and you'd open the wallet when the database starts, eg
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "thePasswordIchose";
Conversely, if you are looking at doing some "home grown" encryption of data using DBMS_CRYPTO, then key management also becomes your own responsibility. You could store the key however/wherever you like, but its your job then to manage it and pass it securely into the DBMS_CRYPTO routines
We are a team of tens of data analysts. Our main data back-end is an Oracle database. We use personal schemas to do work where we don't need to collaborate with others and we would like to create schemas dedicated to projects where people need to collaborate.
The problem is that in Oracle, one schema is equivalent to one DB user. If we create a schema dedicated to a project, for the purpose of creating DB objects in the context of that project, there will be a single set of credentials (username + password) that needs to be shared by all team members. This has two inconveniences:
if people mistype the credentials, they can block the account for everyone;
it is no longer possible to monitor who did what for security/audit reasons, since everyone uses the same schema;
An alternative would be that only one person uses the Schema user to create objects and assigns privileges to other people in those objects, but that can become quickly cumbersome.
Another alternative is to interact with the DB through R or Python but that means the credentials will be stored in some text file, which is bad for security.
As we see it, the ideal situation is if multiple personal DB users can create objects in the same schema, and if those objects are automatically available for that set of DB users. Is this totally impossible in Oracle? Is this impossible in any major DB? Is this requirement somehow flawed and as such, there is a good reason for why it is not available?
We could compare this collaboration in a DB schema to what commonly happens with people collaborating in a folder, using R, Python or other programming language for data analytics.
Thank you for your advise!
Maybe I miss something but could you not just create a schema that will be used for all users and grant the required privileges to each individual user?
Each user authenticates with his local account and by default uses his local schema and to access the public one you just use the ALTER SESSION SET CURRENT_SCHEMA command.
The database I am using is Oracle 11g Express Edition release 2.
I created 2 schemas in the same instance xe. They all have the same tables names and sequences names and stored procedures and stored functions and views names. But the tables structures and views texts are different ( there is some modifications between them ).
The reason for the creation of these two schemas is because our project has two versions. So the first schema is used for the first version , and the second schema was created for the second version. The mechanism of our web application Spring project is that whenever a connection is made through the web application login page then a corresponding Oracle user is making a connection according to the login entered ; so there is no fixed credential connection , there are Oracle users corresponding to each web application login.
So in order for each user to work with each database objects then I created public synonyms for every objects , and granted permissions to them for each user. But the database objects are owned by the schema I mentioned at the beginning. Now my problem is this : our customer wants the two project versions to be run on a same instance ( same computer server ). So one of the project version cannot run because the public synonyms can only refer to a particular schema owner. So how to make the public synonyms work for each schema ?
In short, you can't. However, you can always use a distinct synonym name to identify the object.
Something similar to below:
create public synonym structures_v1 for schema1.structures;
create public synonym structures_v2 for schema2.structures;
Oracle provides 2 totally different technologies for this situation (which comes to my mind):
Editions (and Edition Based Redefinition)
PDBs
With Editions you can create the same Object once in each Edition - but there are limitations like tables are not editionable.
It's not a feature you just enable, you need to understand the concept and implement it properly.
PDBs enable consolidation of Databases with colliding namespace (such as your described synonyms) within the same CDB and therefore save SGA/memory. Basically they are totally separated - limited interference can be implemented when it's concept of object & data inheritance is understand.
What about creating a 3rd Schema and having Synonym and permission to query 1st and 2nd schema. Anyone tested this concept?
I have an ERP application running with Oracle forms and Oracle database. Now I am planning to migrate this application to a java based enterprise application. will it be a good idea to keep the existing oracle database as back end and developing a web application with certain level of changes/additions in the DB design.
There are two facts to know before answer your questions:
has your database schema some oracle forms special structures or is it in 3rd normal form and simply stores data using keys and enforced referential integrity?
How much stored code contains your database?
Ad 1. Oracle forms don't have specific schema reqiurements. They work best if your schema if based on 3rd normal form. If your schema is like this, use it for new Java application. We have both forms and Java EE applications on same database schemas and is works fine.
Advantage is, if you have keys (primary, unique, foreign) in your schema. Use them when generating Java app.
Probably you will have to add #Version columns for optimistic locking (see https://docs.oracle.com/javaee/6/api/javax/persistence/Version.html). But there is not reason to build new schema for it.
Ad 2. Your will have to overwrite bigger part of database stored code (triggers, procedures, functions) to Java. In most cases this does not have dramatic impact to schema structure, but deal with it.
So - if your database schema is not tailored to some UI client needs AND you want only use a new client, use your schema. If not, create a new one.
I have a WPF application with back-end as Oracle11gR2. We need to enable our application to work in both online and offline(disconnected) mode. We are using Oracle standard edition(with single instance) as client database. I am using Sequnece Numbers for Primary Key Columns. Is there anyway to sync my client and server database without any issues in Sequence number columns. Please note that we will restrict creation of basic(master) data to be created only in server.
There are a couple of approaches to take here.
1- Write the sync process to rebuild the server tables (on the client) each time with a SELECT INTO. Once complete, RENAME the current table to a "temp" table, and RENAME the newly created table with the proper name. The sync process should DROP the temp table as one of its first steps. Finally, recreate the indexes and you should be good-to-go.
2- Create a backup of the server-side database, write a shell script to copy it down and restore it on the client.
Each of these options will preserve your sequence numbers. Which one you choose really depends on your skills. If you're more of a developer, you can make #1 work. If you've got some Oracle DBA skills you should be able to make #2 work.
Since you're on 11g, there might be a cleaner way to do this using Data Pump.