8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » 18c » Here

Encrypt Sensitive Credential Data in the Data Dictionary in Oracle Database 18c

The data dictionary contains credentials for database links (SYS.LINK$) and the scheduler (SYS.SCHEDULER$_CREDENTIAL). These credentials are obfuscated, not encrypted. This article gives an overview of encrypting sensitive credential data in the data dictionary. This feature was introduced in Oracle database 18c.

Create a Key Management User

Login as a privileged user and create a new key management user, granting it the SYSKM administrative privilege.

conn sys/SysPassword1@//localhost:1521/cdb1 as sysdba

create user c##km_user identified by MyPassword1;
grant syskm to c##km_user container=all;

Wallet Setup

We create a location to hold our wallet.

mkdir -p /u01/wallets/cdb1

Edit the "sqlnet.ora" file, setting the correct location for the wallet.

ENCRYPTION_WALLET_LOCATION =
  (SOURCE =(METHOD = FILE)(METHOD_DATA =
    (DIRECTORY = /u01/wallets/cdb1/)))

If you are using a read-only Oracle home, the "sqlnet.ora" file is stored outside the main Oracle home.

-- Normal Oracle home.
$ORACLE_HOME/network/admin/sqlnet.ora

-- Read-only Oracle home.
$(orabasehome)/network/admin/sqlnet.ora

We connect to the root container using the key management user and create a new wallet.

conn c##km_user/MyPassword1@//localhost:1521/cdb1 as syskm

administer key management create keystore '/u01/wallets/cdb1' identified by "WalletPassword1";
administer key management set keystore open identified by "WalletPassword1";
administer key management set encryption key identified by "WalletPassword1" with backup;

We can see the wallet listed in the V$ENCRYPTION_WALLET view.

column wrl_parameter format a20

select wallet_type, wrl_parameter, status
from   v$encryption_wallet;

WALLET_TYPE          WRL_PARAMETER        STATUS
-------------------- -------------------- ------------------------------
PASSWORD             /u01/wallets/cdb1/   OPEN

SQL>

Encrypt Credentials

We encrypt the credentials in the data dictionary and check the DICTIONARY_CREDENTIALS_ENCRYPT view.

alter database dictionary encrypt credentials;


select enforcement from dictionary_credentials_encrypt;

ENFORCEM
--------
ENABLED

SQL>

Rekey Credentials

We rekey the credentials in the data dictionary using the following command.

alter database dictionary rekey credentials;

Delete Credentials

We delete the encrypted credentials from the data dictionary using the following command. Any future credentials will be obfuscated, not encrypted.

alter database dictionary delete credentials key;


select enforcement from dictionary_credentials_encrypt;

ENFORCEM
--------
DISABLED

SQL>

We need to set the correct credentials for each database link using the following command.

alter database link {database_link_name} connect to {schema_name} identified by {password};

Views

The {CDB|DBA|ALL|USER}_DB_LINKS views list the database links. The VALID column indicates is the database link is valid.

The DICTIONARY_CREDENTIALS_ENCRYPT view indicates if dictionary credentials have been encrypted, as show above.

Application Containers

The examples above have all been performed in the root container. Similar actions are possible from an application root. In the case of the key management commands, they should be appended with the CONTAINER=ALL clause.

All PDBs below the application root container have to be synchronised using the following command after each key operation.

ALTER PLUGGABLE DATABASE APPLICATION APP$CDB$SYSTEM SYNC;

For more information see:

Hope this helps. Regards Tim...

Back to the Top.