Hands-On Lab: Setting Up Secure Multitenancy and Comprehensive Data Protection for Oracle Database 12c on Oracle Solaris 11

by Ramesh Nagappan, Yu Wang, Xiaosong Zhu, and Gang Wang

This article describes how to set up a secure multitenant Oracle Database 12c environment with secure isolation and comprehensive data protection from the ground up using Oracle Solaris 11 security capabilities. It also provides information about how the Transparent Data Encryption feature of Oracle Advanced Security can leverage the Oracle Solaris Cryptographic Framework to deliver high-performance security on Oracle SuperCluster engineered systems and on Oracle servers based on Oracle's SPARC T4 or SPARC T5 processors.


Published March 2014 (updated April 2015)


Want to comment on this article? Post the link on Facebook's OTN Garage page.  Have a similar article to share? Bring it up on Facebook or Twitter and let's discuss.
Table of Contents
Introduction
Prerequisites
Preparing the Environment
Notes for Users
Exercise 1: Using Oracle Solaris Zones to Set Up a Multitenant Database Environment (20 Minutes)
Exercise 2: Exploring an Oracle Database 12c Multitenant Architecture (20 Minutes)
Exercise 3: Using Transparent Data Encryption with the Oracle Solaris Cryptographic Framework (20 Minutes)
Conclusion
Appendix A
See Also
About the Authors

Introduction

This document describes the actions that were done during Oracle OpenWorld 2014 Hands-On Lab 9762.

Database multitenancy helps customers reduce IT costs by simplifying consolidation, provisioning, upgrades, and more. However, it brings concerns about data security, because the computing and storage resources are shared by different users.

In this lab, you will explore different isolation and encryption approaches for securing the multitenancy of Oracle Database on Oracle Solaris 11: Oracle Solaris Zones, Oracle Solaris ZFS encryption, Oracle Database 12c pluggable databases (PDBs), and the Transparent Data Encryption feature of Oracle Advanced Security. You will also learn how Transparent Data Encryption works with the Oracle Solaris Cryptographic Framework.

Prerequisites

This hands-on lab assumes you have some basic knowledge about the following technologies.

  • Administration of Oracle Solaris or a similar UNIX or Linux OS
  • Oracle Database administration
  • SQL programming

Preparing the Environment

  1. Download and install Oracle Solaris 11.2.

    - Oracle Solaris 11.2 images are available at http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html.

    - You can find the installation documents at http://www.oracle.com/technetwork/server-storage/solaris11/documentation/index.html.

  2. Configure the environment as follows:

    Parameter Value Notes
    Host name hol9762  
    IP address 192.168.56.200/24  
    Username/password root: solaris11
    labuser:solaris11

    oracle: solaris11
     
    publisher   Should be accessible.
    Disks and their sizes c1d0, 35 G for system usage
    c2t0d0, 16 G for database zone
    c2t1d0, 16 G for database zone
    c2t2d0, 2 G
    c2t3d0, 2 G
    Please map your own disk volume names to the ones used in this document.
  3. Create two local zones in Oracle Solaris 11, one for installing Oracle Database 12c and another for installing Oracle Database 11g Release 2.

    - For information on how to configure and install local zones, see the following documents:

    - Make sure the two zones are set up with following configuration:

    Note: Two configuration files are available in Appendix A (dbzone1.config and dbzone2.config). You can use the files to perform the configuration quickly.

    Parameter Zone for Oracle Database 12c Zone for Oracle Database 11g Release 2 Notes
    Zone name dbzone1 dbzone2  
    zonepath /zones/dbzone1 /zones/dbzone2  
    rootzpool dev:/dev/dsk/c2t0d0 dev:/dev/dsk/c2t1d0  
    zpool Name = dbpool1
    Storage =
    dev:/dev/dsk/c2t2d0

    Name = dbpool2
    Storage = dev:/dev/dsk/c2t3d0
    NULL  
    net physical=vnic1 physical=vnic2 Both physical NICs and VNICs can be used here.
    capped-memory 2 G (at least) NULL  
  4. Install the database software:

    - You can download Oracle Database 12c and Oracle Database 11g Release 2 at http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html.

    - You can find the Oracle Database 12c installation documents at https://docs.oracle.com/database/121/SXDQI/toc.htm#CEGIECIB.

    - You can find the Oracle Database 11g Release 2 installation documents at http://docs.oracle.com/cd/E11882_01/install.112/e24351/toc.htm#i1010738.

    - As user oracle, use the following configuration table to install Oracle Database 12c in dbzone1 and to install Oracle Database 11g Release 2 in dbzone2.

    Parameter Value for Oracle Database 12c Value for Oracle Database 11g Release 2
    Oracle base /u01/app/oracle /u01/app/oracle
    Home location /u01/app/oracle/12.1.0/dbhome_1 /u01/app/oracle/11.2/dbhome_1
    Storage type filesystem filesystem
    File location /u01/app/oracle/oradata /u01/app/oracle/oradata
    Database edition enterprise edition enterprise edition
    OSDBA group dba dba
    Global database name cdb1 db11g
    Password solaris11 solaris11
    Container database yes
    Pluggable database name pdb11
    Zone environment ORACLE_SID=cdb1
    ORACLE_BASE=/u01/app/oracle
    ORACLE_HOME=/u01/app/oracle/12.1.0/dbhome_1
    ORACLE_SID=db11g
    ORACLE_BASE=/u01/app/oracle
    ORACLE_HOME=/u01/app/oracle/11.2/dbhome_1
  5. Finally make sure the following are configured in the system:

    1. Ensure that Oracle Solaris 11.2 is installed on the system.
    2. Ensure the following non-global zones are created and configured:

      • dbzone1 with Oracle Database 12c Enterprise Edition installed
      • dbzone2 with Oracle Database 11g Release 2 Enterprise Edition installed
    3. Ensure the following OS usernames/passwords are configured:

      • labuser/solaris11
      • root/solaris11
      • oracle/solaris11
    4. Ensure the following username/password is configured for Oracle Database: SYS/solaris11.

Notes for Users

Be aware of the following:

  • The GNOME desktop environment is preferred over Oracle Solaris 11 (with desktop packages installed) for this lab.
  • In order to open a terminal window in GNOME, right-click any point on the background of the desktop, and select Open Terminal from the menu (as shown in Figure 1).

    Figure 1. Opening a terminal window in GNOME

    Figure 1. Opening a terminal window in GNOME

Exercise 1: Using Oracle Solaris Zones to Set Up a Multitenant Database Environment (20 Minutes)

In this exercise, you will use Oracle Solaris Zones to set up a multitenant environment for different versions of Oracle Database.

What Is Multitenancy?

As one of essential characteristics of cloud computing, multitenancy is an architectural and operational approach that enables IT providers to share infrastructure resources to deliver database or software functionality as a service to one or more consumers (tenants). Resource control and data isolation are critical for a multitenant architecture, which can be implemented differently for different service models, such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

Nowadays, many providers are using KVM, Xen, or other hypervisor-based virtualization technologies to deploy databases for multitenant usage. However, hypervisor-based virtualization usually has high overhead, which can limit the number of virtual machines (VMs) that a physical machine can create. Therefore, it is recommended that you use an Oracle Solaris Zone, which is an OS-based light container that has a very small footprint. A zone can be used to not only deploy multiple high-performance database services, but also to isolate data effectively.

What Is an Oracle Solaris Zone?

An Oracle Solaris Zone is an implementation of operating system–level virtualization technology for x86 and SPARC systems. A zone is the combination of system resource controls and boundary separation. Zones act as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets of application services onto one system and by placing each into isolated virtual server containers, system administrators can reduce cost and provide on a single machine most of the protections provided by separate machines.

Step 1: Start the Preinstalled Non-Global Zones

  1. After logging in to Oracle Solaris 11 by using the username labuser and the password solaris11, right-click the desktop and choose Open Terminal to bring up a terminal window (as shown in Figure 1).
  2. In the terminal window, switch to username root with password solaris11 in order to do zone administration.

    labuser@hol9762:~$ su -
    Password: 
    Oracle Corporation      SunOS 5.11      11.2    June 2014
    You have new mail.
    root@hol9762:~#
    
  3. Check the preinstalled zones on the system.

    root@hol9762:~# zoneadm list -cv
      ID NAME             STATUS      PATH                         BRAND      IP    
       0 global           running     /                            solaris    shared
       - dbzone1          installed   /dbzone1                     solaris    excl  
       - dbzone2          installed   /dbzone2                     solaris    excl 
    

    From the output, you can see that there are two non-global zones, dbzone1 and dbzone2, preinstalled in Oracle Solaris.

    Oracle Database 12c and Oracle Database 11g Release 2 have been separately installed in these two zones. The detailed configuration of two non-global zones is shown in Figure 2.

    Figure 2. Multitenant database environment based on Oracle Solaris Zones

    Figure 2. Multitenant database environment based on Oracle Solaris Zones

  4. Start the non-global zones: dbzone1 and dbzone2.

    root@hol9762:~# zoneadm -z dbzone1 boot
    root@hol9762:~# zoneadm -z dbzone2 boot
    
  5. Check to make sure that both of the zones are running now.

    root@hol9762:~# zoneadm list -cv
    ID NAME             STATUS      PATH                         BRAND      IP    
    0 global           running     /                            solaris    shared
    1 dbzone1          running     /dbzone1                     solaris    excl  
    2 dbzone2          running     /dbzone2                     solaris    excl  
    

Step 2: Check the Disk Isolation

  1. Find the disks available in the system by using the format command. Please note that the first disk, c1d0, is working as the root ZFS pool of the global zone.

    root@hol9762:~# format < /dev/null
    Searching for disks...done
    
    AVAILABLE DISK SELECTIONS:
           0. c1d0 <VBOX HAR-59bffd1e-fb51c8a-0001-31.25GB>
              /pci@0,0/pci-ide@1,1/ide@0/cmdk@0,0
           1. c2t0d0 <VBOX-HARDDISK-1.0-16.00GB>
              /pci@0,0/pci1000,8000@16/sd@0,0
           2. c2t1d0 <VBOX-HARDDISK-1.0-16.00GB>
              /pci@0,0/pci1000,8000@16/sd@1,0
           3. c2t2d0 <VBOX-HARDDISK-1.0-2.00GB>
              /pci@0,0/pci1000,8000@16/sd@2,0
           4. c2t3d0 <VBOX-HARDDISK-1.0-2.00GB>
              /pci@0,0/pci1000,8000@16/sd@3,0
    Specify disk (enter its number):
    
  2. Use the zonecfg command to show the configuration of dbzone1, and pay attention to the disks assigned to dbzone1:

    root@hol9762:~# zonecfg -z dbzone1 info
    zonename: dbzone1
    ...
    rootzpool:
            storage: dev:/dev/dsk/c2t0d0
    zpool:
            name: dbpool1
            storage: dev:/dev/dsk/c2t2d0
    zpool:
            name: dbpool2
            storage: dev:/dev/dsk/c2t3d0
    

    There are three disks dedicated to dbzone1: c2t0d0 is used as the root ZFS pool, while c2t2d0 and c2t3d0 will be used to store database data for this lab.

  3. Use the zonecfg command to show the configuration of dbzone2, and pay attention to the disks assigned to dbzone2:

    root@hol9762:~# zonecfg -z dbzone2 info
    zonename: dbzone2
    ...
    rootzpool:
            storage: dev:/dev/dsk/c2t1d0
    

    For dbzone2, there's only one disk, c2t1d0, which is dedicated to the zone as the root ZFS pool.

    Note: While configuring Oracle Solaris Zones, you can decide whether or not use isolated storage according to the data security requirements.

Step 3: Check the Network Isolation

  1. Check the network presetup in the global zone by typing the following commands.

    You will find that there's only one physical link available in the system. The static IP address of the global zone is 192.168.56.200.

    root@hol9762:~# dladm show-phys
    LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
    net0              Ethernet             up         1000   full      e1000g0
    
    root@hol9762:~# ipadm show-addr
    ADDROBJ           TYPE     STATE        ADDR
    lo0/v4            static   ok           127.0.0.1/8
    net0/v4           static   ok           192.168.56.200/24
    

    Oracle Solaris 11 network virtualization features can be applied to a zone by creating a virtual NIC (VNIC) for the zone and applying bandwidth limits to the zone's assigned VNIC.

    VNICs vnic1 and vnic2 are precreated in the global zones and assigned to different zones, while dbzone1/vnic1 and dbzone2/vnic2 are created when the zones boot and will be deleted when the zones are halted.

    root@hol9762:~# dladm show-vnic
    LINK                OVER              SPEED  MACADDRESS        MACADDRTYPE VIDS
    vnic1               net0              100    2:8:20:61:8c:fc   random      0
    dbzone1/vnic1       net0              100    2:8:20:61:8c:fc   random      0
    vnic2               net0              100    2:8:20:cf:2:1b    random      0
    dbzone2/vnic2       net0              100    2:8:20:cf:2:1b    random      0
    

    Oracle Solaris–integrated quality of service (QoS) enables bandwidth control on data links to enable the sharing of network bandwidth among your applications while preventing misbehaving applications from taking all the network bandwidth. In the SPEED column, you can see that the maximum bandwidth of vnic1 and vnic2 is limited to 100M, but 1000M is the maximum bandwidth for the physical link, net0.

    You need to assign more bandwidth for dbzone1 because dbzone1 may have more network traffic. Use the following command to increase the maximum bandwidth of vnic1 from 100M to 500M.

    root@hol9762:~# dladm set-linkprop -p maxbw=500m vnic1
    

    Check the changed bandwidth.

    root@hol9762:~# dladm show-vnic
    LINK                OVER              SPEED  MACADDRESS        MACADDRTYPE VIDS
    vnic1               net0              500    2:8:20:61:8c:fc   random      0
    dbzone1/vnic1       net0              500    2:8:20:61:8c:fc   random      0
    vnic2               net0              100    2:8:20:cf:2:1b    random      0
    dbzone2/vnic2       net0              100    2:8:20:cf:2:1b    random      0
    
  2. Check the network configuration of the zones.

    Exclusive-IP zones enable you to assign a separate IP stack per zone. Each zone has the flexibility to configure IP within that stack completely separate to other zones. Type the following command to show the network configuration of dbzone1.

    root@hol9762:~# zonecfg -z dbzone1 info 
    zonename: dbzone1
    ...
    ip-type: exclusive
    ...
    net:
            address not specified
            allowed-address not specified
            configure-allowed-address: true
            physical: vnic1
            defrouter not specified
    

    Type the following command to check the network configuration of dbzone2.

    root@hol9762:~# zonecfg -z dbzone2 info 
    zonename: dbzone2
    ...
    ip-type: exclusive
    ...
    net:
            address not specified
            allowed-address not specified
            configure-allowed-address: true
            physical: vnic2
            defrouter not specified
    
  3. Monitor the network utilization.

    Type zonestat in the global zone to monitor the network utilization of the currently running zones.

    root@hol9762:~# zonestat -r network 2
    Collecting data for first interval...
    Interval: 1, Duration: 0:00:02
    NETWORK-DEVICE                  SPEED        STATE        TYPE
    net0                         1000mbps           up        phys
                        ZONE TOBYTE  MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
                     [total]    336      -      -    120   0.00%    132   0.00%
                      global    252      -      -    120   0.00%    132   0.00%
                     dbzone1     42   500M  0.00%      0   0.00%      0   0.00%
                     dbzone2     42   100M  0.00%      0   0.00%      0   0.00%
    
    Interval: 2, Duration: 0:00:04
    NETWORK-DEVICE                  SPEED        STATE        TYPE
    net0                         1000mbps           up        phys
                        ZONE TOBYTE  MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
                     [total]    550      -      -    120   0.00%    430   0.00%
                      global    550      -      -    120   0.00%    430   0.00%
                     dbzone1      0   500M  0.00%      0   0.00%      0   0.00%
                     dbzone2      0   100M  0.00%      0   0.00%      0   0.00%
    

    Type Ctrl+c to stop.

    Note: zonestat can also be used in non-global zones to monitor the resource utilization of the zones.

Step 4: Assign CPUs to Non-Global Zones

Zones induce a very low overhead on CPU resources and memory. Most types of zones share the global zone's virtual address space. A zone can be assigned with a resource pool (processor set plus scheduling class) to guarantee certain usage, or it can be capped at a fixed compute capacity ("dedicated CPU" or "capped CPU") or given shares via fair-share scheduling.

In this lab, a resource pool has been assigned to the zone dbzone1. Thus, you can dynamically configure CPU resources to the zone without rebooting it.

  1. List the resource pool assigned to the zones.

    root@hol9762:~# zonecfg -z dbzone1 info
    zonename: dbzone1
    ...
    pool: zonepool1
    

    The output shows that zonepool1 is bound with dbzone1.

  2. Use pooladm to print the currently running pool configuration.

    root@hol9762:~# pooladm
    system default
            string  system.comment 
            int     system.version 1
            boolean system.bind-default true
            string  system.poold.objectives wt-load
    
            pool zonepool1
                    int     pool.sys_id 1
                    boolean pool.active true
                    boolean pool.default false
                    int     pool.importance 1
                    string  pool.comment 
                    pset    zonepool1-pset
    
            pool pool_default
                    int     pool.sys_id 0
                    boolean pool.active true
                    boolean pool.default true
                    int     pool.importance 1
                    string  pool.comment 
                    pset    pset_default
    
            pset zonepool1-pset
                    int     pset.sys_id 1
                    boolean pset.default false
                    uint    pset.min 1
                    uint    pset.max 1
                    string  pset.policy minmax
                    string  pset.restype cpu
                    string  pset.reslist 
                    string  pset.units population
                    uint    pset.load 0
                    uint    pset.size 1
                    string  pset.comment 
    
                    cpu
                            int     cpu.sys_id 0
                            string  cpu.comment 
                            string  cpu.status on-line
    
            pset pset_default
                    int     pset.sys_id -1
                    boolean pset.default true
                    uint    pset.min 1
                    uint    pset.max 65536
                    string  pset.policy minmax
                    string  pset.restype cpu
                    string  pset.reslist 
                    string  pset.units population
                    uint    pset.load 30
                    uint    pset.size 3
                    string  pset.comment 
    
                    cpu
                            int     cpu.sys_id 1
                            string  cpu.comment 
                            string  cpu.status on-line
    
                    cpu
                            int     cpu.sys_id 3
                            string  cpu.comment 
                            string  cpu.status on-line
    
                    cpu
                            int     cpu.sys_id 2
                            string  cpu.comment 
                            string  cpu.status on-line
    

    As you can see, the processor set, zonepool1-pset, was created with one processor, which is associated with the pool zonepool1. And zonepool1 is bound with dbzone1.

  3. Check the processors available in non-global zones.

    First, open a new terminal, and switch to root before trying to log in to dbzone1.

    labuser@hol9762:~$ su -
    Password: 
    Oracle Corporation      SunOS 5.11      11.2    June 2014
    You have new mail.
    root@hol9762:~#
    

    Then log in to the dbzone1.
    root@hol9762:~# zlogin dbzone1
    

    In the terminal window for dbzone1, check the CPUs assigned to dbzone1.

    root@dbzone1:~# psrinfo 
    0       on-line   since 08/25/2014 04:30:44
    

    As you can see, there's one processor dedicated to dbzone1.

    Open a new terminal window, and switch to root before trying to log in to dbzone2.

    labuser@hol9762:~$ su -
    Password: 
    Oracle Corporation      SunOS 5.11      11.2    June 2014
    You have new mail.
    root@hol9762:~#
    

    Log in to dbzone2.

    root@hol9762:~# zlogin dbzone2
    

    Check the CPUs assigned to dbzone2 by typing the command below.

    root@dbzone2:~# psrinfo
    1       on-line   since 08/25/2014 04:30:46
    2       on-line   since 08/25/2014 04:30:46
    3       on-line   since 08/25/2014 04:30:46
    

    As you can see, three processors are working for dbzone2 now.

  4. Since we will use dbzone1 to run Oracle Database12c in Exercise 2, let's assign more processors to dbzone1.

    In the terminal window for the global zone, change the pool configuration by assigning three processors to zonepool1.

    root@hol9762:~# poolcfg -c 'modify pset zonepool1-pset (uint pset.min=3; uint pset.max=3)' 
    

    Instantiate the configuration.

    root@hol9762:~# pooladm -c
    

    Print the currently running pool configuration again.

    root@hol9762:~# pooladm
    
    system default
            string  system.comment 
            int     system.version 1
            boolean system.bind-default true
            string  system.poold.objectives wt-load
    
            pool zonepool1
                    int     pool.sys_id 1
                    boolean pool.active true
                    boolean pool.default false
                    int     pool.importance 1
                    string  pool.comment 
                    pset    zonepool1-pset
    
            pool pool_default
                    int     pool.sys_id 0
                    boolean pool.active true
                    boolean pool.default true
                    int     pool.importance 1
                    string  pool.comment 
                    pset    pset_default
    
            pset zonepool1-pset
                    int     pset.sys_id 1
                    boolean pset.default false
                    uint    pset.min 3
                    uint    pset.max 3
                    string  pset.policy minmax
                    string  pset.restype cpu
                    string  pset.reslist 
                    string  pset.units population
                    uint    pset.load 3
                    uint    pset.size 3
                    string  pset.comment 
    
                    cpu
                            int     cpu.sys_id 1
                            string  cpu.comment 
                            string  cpu.status on-line
    
                    cpu
                            int     cpu.sys_id 0
                            string  cpu.comment 
                            string  cpu.status on-line
    
                    cpu
                            int     cpu.sys_id 2
                            string  cpu.comment 
                            string  cpu.status on-line
    
            pset pset_default
                    int     pset.sys_id -1
                    boolean pset.default true
                    uint    pset.min 1
                    uint    pset.max 65536
                    string  pset.policy minmax
                    string  pset.restype cpu
                    string  pset.reslist 
                    string  pset.units population
                    uint    pset.load 64
                    uint    pset.size 1
                    string  pset.comment 
    
                    cpu
                            int     cpu.sys_id 3
                            string  cpu.comment 
                            string  cpu.status on-line
    

    Two processors have been added to dbzone1. We can also check the CPU information in the non-global zones.

    In the terminal window for dbzone1, verify that three processors are available.

    root@dbzone1:~# psrinfo
    0       on-line   since 08/25/2014 04:30:44
    1       on-line   since 08/25/2014 04:30:46
    2       on-line   since 08/25/2014 04:30:46
    

    In the terminal window for dbzone2, check the CPU information.

    root@dbzone2:~# psrinfo
    3       on-line   since 08/25/2014 04:30:46
    

    You can see that only one processor is left.

Step 5: Assign Memory to Non-Global Zones

In Oracle Solaris 11.2, the rcapd daemon is used to add and administer memory caps. You can control the resident set size (RSS) usage of a zone by setting the capped-memory resource when you configure the zone.

  1. In the terminal window for the global zone, type the command below to show the zone configuration of dbzone1 for memory caps.

    root@hol9762:~# zonecfg -z dbzone1 info
    ...
    capped-memory:
            physical: 2G
    
  2. In the terminal window for dbzone1, check the physical memory assigned to the zone:

    root@dbzone1:~# prtconf |grep Memory
    prtconf: devinfo facility not available
    Memory size: 2048 Megabytes
    
  3. Using zonecfg to change the zone configuration requires a reboot of the zone. However, we can use another command to change the memory cap dynamically without rebooting the zone.

    In the terminal window for the global zone, type the following command.

    root@hol9762:~# rcapadm -z dbzone1 -m 4G
    

    In the terminal window for dbzone1, again check the physical memory assigned to dbzone1.

    root@dbzone1:~# prtconf |grep Mem
    prtconf: devinfo facility not available
    Memory size: 4096 Megabytes
    

Step 6: Start the Preinstalled Databases and Check the Process Isolation

  1. In the terminal window for dbzone1, start the instance of Oracle Database 12c installed in dbzone1:

    First, before starting the database, switch to the oracle user.

    root@dbzone1:~# su - oracle
    Password:
    Oracle Corporation      SunOS 5.11      11.2    April 2014
    oracle@dbzone1:~$
    

    Check the environment setting for the database.

    oracle@dbzone1:~$ env |grep ORACLE
    ORACLE_SID=cdb1
    ORACLE_BASE=/u01/app/oracle
    ORACLE_HOME=/u01/app/oracle/12.1.0/dbhome_1
    

    Start the listener.

    oracle@dbzone1:~$ lsnrctl start
    
    LSNRCTL for Solaris: Version 12.1.0.2.0 - Production on 25-AUG-2014 15:17:32
    
    Copyright (c) 1991, 2014, Oracle.  All rights reserved.
    
    Starting /u01/app/oracle/12.1.0/dbhome_1/bin/tnslsnr: please wait...
    
    TNSLSNR for Solaris: Version 12.1.0.2.0 - Production
    System parameter file is /u01/app/oracle/12.1.0/dbhome_1/network/admin/listener.ora
    Log messages written to /u01/app/oracle/diag/tnslsnr/dbzone1/listener/alert/log.xml
    Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone1)(PORT=1521)))
    
    Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
    STATUS of the LISTENER
    ------------------------
    Alias                     LISTENER
    Version                   TNSLSNR for Solaris: Version 12.1.0.2.0 - Production
    Start Date                25-AUG-2014 15:17:33
    Uptime                    0 days 0 hr. 0 min. 1 sec
    Trace Level               off
    Security                  ON: Local OS Authentication
    SNMP                      OFF
    Listener Parameter File   /u01/app/oracle/12.1.0/dbhome_1/network/admin/listener.ora
    Listener Log File         /u01/app/oracle/diag/tnslsnr/dbzone1/listener/alert/log.xml
    Listening Endpoints Summary...
      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone1)(PORT=1521)))
    The listener supports no services
    The command completed successfully
    

    Start up Oracle Database 12c.

    oracle@dbzone1:~$ sqlplus / as sysdba
    
    SQL*Plus: Release 12.1.0.2.0 Production on Mon Aug 25 14:55:47 2014
    
    Copyright (c) 1982, 2014, Oracle.  All rights reserved.
    
    Connected to an idle instance.
    
    SQL> startup
    ORACLE instance started.
    
    Total System Global Area  536870912 bytes
    Fixed Size                  3005728 bytes
    Variable Size             402653920 bytes
    Database Buffers          125829120 bytes
    Redo Buffers                5382144 bytes
    Database mounted.
    Database opened.
    
  2. In the terminal window for dbzone2, start the instance of Oracle Database 11g Release 2 installed in dbzone2.

    First, before starting the database, switch to the oracle user.

    root@dbzone2:~# su - oracle
    Oracle Corporation      SunOS 5.11      11.2    June 2014
    oracle@dbzone2:~$
    

    Check the environment setting for the database.

    oracle@dbzone2:~$ env |grep ORACLE
    ORACLE_SID=db11g
    ORACLE_BASE=/u01/app/oracle
    ORACLE_HOME=/u01/app/oracle/11.2/dbhome_1
    

    Start the listener.

    oracle@dbzone2:~$ lsnrctl start
    
    LSNRCTL for Solaris: Version 11.2.0.1.0 - Production on 25-AUG-2014 15:18:58
    
    Copyright (c) 1991, 2009, Oracle.  All rights reserved.
    
    Starting /u01/app/oracle/11.2/dbhome_1/bin/tnslsnr: please wait...
    
    TNSLSNR for Solaris: Version 11.2.0.1.0 - Production
    System parameter file is /u01/app/oracle/11.2/dbhome_1/network/admin/listener.ora
    Log messages written to /u01/app/oracle/diag/tnslsnr/dbzone2/listener/alert/log.xml
    Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone2)(PORT=1521)))
    
    Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
    STATUS of the LISTENER
    ------------------------
    Alias                     LISTENER
    Version                   TNSLSNR for Solaris: Version 11.2.0.1.0 - Production
    Start Date                25-AUG-2014 15:19:00
    Uptime                    0 days 0 hr. 0 min. 1 sec
    Trace Level               off
    Security                  ON: Local OS Authentication
    SNMP                      OFF
    Listener Parameter File   /u01/app/oracle/11.2/dbhome_1/network/admin/listener.ora
    Listener Log File         /u01/app/oracle/diag/tnslsnr/dbzone2/listener/alert/log.xml
    Listening Endpoints Summary...
      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbzone2)(PORT=1521)))
    The listener supports no services
    The command completed successfully
    

    Start up Oracle Database 11g Release 2.

    oracle@dbzone2:~$ sqlplus / as sysdba
    
    SQL*Plus: Release 11.2.0.1.0 Production on Mon Aug 25 14:56:09 2014
    
    Copyright (c) 1982, 2009, Oracle.  All rights reserved.
    
    Connected to an idle instance.
    
    SQL> startup
    ORACLE instance started.
    
    Total System Global Area  534462464 bytes
    Fixed Size                  2212736 bytes
    Variable Size             343936128 bytes
    Database Buffers          184549376 bytes
    Redo Buffers                3764224 bytes
    Database mounted.
    Database opened.
    
  3. Check the database isolation:

    Oracle Solaris Zones virtualization prevents processes that are running in one zone from monitoring or affecting processes running in other zones.

    First, in the terminal window for dbzone1, exit SQL*Plus.

    SQL> EXIT
    

    In the terminal window for dbzone1, check the running processes of Oracle Database 12c in dbzone1.

    oracle@dbzone1:~$ ps -ef |grep ora
      oracle  5599  5598   0 14:55:33 pts/10      0:00 -bash
      oracle  5650  1900   0 14:57:46 ?           0:01 ora_lg00_cdb1
      oracle  5648  1900   0 14:57:46 ?           0:03 ora_ckpt_cdb1
      oracle  6031  1900   0 15:13:49 ?           0:00 ora_w002_cdb1
      oracle  5654  1900   0 14:57:47 ?           0:01 ora_smon_cdb1
      oracle  5636  1900   0 14:57:44 ?           0:06 ora_dbrm_cdb1
      oracle  5634  1900   0 14:57:44 ?           0:01 ora_diag_cdb1
      oracle  5640  1900   0 14:57:45 ?           0:03 ora_dia0_cdb1
      oracle  5642  1900   0 14:57:45 ?           0:02 ora_dbw0_cdb1
      oracle  5644  1900   0 14:57:46 ?           0:01 ora_lgwr_cdb1
      oracle  6070  1900   6 15:20:02 ?           0:07 ora_j000_cdb1
      oracle  6073  5599   0 15:20:19 pts/10      0:00 ps -ef
      oracle  5628  1900   0 14:57:43 ?           0:01 ora_gen0_cdb1
      oracle  5624  1900   0 14:57:42 ?           0:03 ora_vktm_cdb1
      oracle  5638  1900   0 14:57:45 ?           0:00 ora_vkrm_cdb1
      oracle  5630  1900   0 14:57:43 ?           0:01 ora_mman_cdb1
      oracle  5622  1900   0 14:57:41 ?           0:03 ora_psp0_cdb1
      oracle  5620  1900   0 14:57:41 ?           0:01 ora_pmon_cdb1
      oracle  5730  1900   0 14:58:33 ?           0:08 ora_cjq0_cdb1
      oracle  5662  1900   0 14:57:48 ?           0:01 ora_lreg_cdb1
      oracle  5656  1900   0 14:57:47 ?           0:01 ora_lg01_cdb1
      oracle  5668  1900   0 14:57:48 ?           0:04 ora_mmnl_cdb1
      oracle  5666  1900   0 14:57:48 ?           0:15 ora_mmon_cdb1
      oracle  5664  1900   0 14:57:48 ?           0:01 ora_pxmn_cdb1
      oracle  5660  1900   0 14:57:47 ?           0:01 ora_reco_cdb1
      oracle  5670  1900   0 14:57:49 ?           0:00 ora_d000_cdb1
      oracle  5672  1900   0 14:57:49 ?           0:00 ora_s000_cdb1
      oracle  5684  1900   0 14:57:57 ?           0:00 ora_tmon_cdb1
      oracle  5686  1900   0 14:57:58 ?           0:01 ora_tt00_cdb1
      oracle  5688  1900   0 14:58:06 ?           0:01 ora_smco_cdb1
      oracle  5690  1900   0 14:58:06 ?           0:01 ora_w000_cdb1
      oracle  5692  1900   0 14:58:06 ?           0:01 ora_w001_cdb1
      oracle  5694  1900   0 14:58:13 ?           0:00 ora_aqpc_cdb1
      oracle  5698  1900   0 14:58:24 ?           0:00 ora_qm02_cdb1
      ...
    

    In the terminal window for dbzone2, exit SQL*Plus.

    SQL> EXIT
    

    In the terminal window for dbzone2, check the running processes of Oracle Database 11g Release 2 for dbzone2.

    oracle@dbzone2:~$ ps -ef |grep ora
      oracle  6045  3696   0 15:16:15 ?           0:00 ora_w000_db11g
      oracle  5987  5986   0 15:08:22 pts/11      0:00 -bash
      oracle  6078  3696   4 15:21:40 ?           0:01 ora_j000_db11g
      oracle  6080  3696   1 15:21:41 ?           0:00 ora_j001_db11g
      oracle  6084  5987   0 15:21:45 pts/11      0:00 grep ora
      oracle  5916  3696   0 15:01:10 ?           0:00 ora_qmnc_db11g
      oracle  5808  3696   0 14:59:07 ?           0:01 ora_gen0_db11g
      oracle  5790  3696   0 14:58:56 ?           0:02 ora_pmon_db11g
      oracle  5859  3696   0 14:59:57 ?           0:00 ora_s000_db11g
      oracle  6066  3696   0 15:18:59 ?           0:01 /u01/app/oracle/11.2/dbhome_1/bin/tnslsnr LISTENER -inherit
      oracle  5800  3696   0 14:59:03 ?           0:02 ora_vktm_db11g
      oracle  6083  5987   1 15:21:45 pts/11      0:00 ps -ef
      oracle  5827  3696   0 14:59:21 ?           0:01 ora_mman_db11g
      oracle  5812  3696   0 14:59:08 ?           0:01 ora_diag_db11g
      oracle  5816  3696   0 14:59:10 ?           0:01 ora_dbrm_db11g
      oracle  5820  3696   0 14:59:14 ?           0:01 ora_psp0_db11g
      oracle  5822  3696   0 14:59:19 ?           0:02 ora_dia0_db11g
      oracle  5831  3696   0 14:59:25 ?           0:02 ora_dbw0_db11g
      oracle  5936  3696   0 15:01:26 ?           0:02 ora_cjq0_db11g
      oracle  5928  3696   0 15:01:20 ?           0:00 ora_q000_db11g
      oracle  5932  3696   0 15:01:24 ?           0:00 ora_q001_db11g
      oracle  5839  3696   0 14:59:33 ?           0:01 ora_lgwr_db11g
      oracle  5843  3696   0 14:59:35 ?           0:02 ora_ckpt_db11g
      oracle  5847  3696   0 14:59:44 ?           0:03 ora_smon_db11g
      oracle  5849  3696   0 14:59:46 ?           0:00 ora_reco_db11g
      oracle  5851  3696   0 14:59:46 ?           0:04 ora_mmon_db11g
      oracle  5853  3696   0 14:59:46 ?           0:02 ora_mmnl_db11g
      oracle  5855  3696   0 14:59:54 ?           0:00 ora_d000_db11g
        root  5862  3696   0 14:59:57 ?           0:04 ora_dism_db11g
      oracle  5971  3696   0 15:06:11 ?           0:00 ora_smco_db11g
    

    Based on the output for dbzone1 and dbzone2, you can see that two different versions of Oracle Database are separately running in different zones on the same machine.

Summary

In this exercise, you have leveraged the power of Oracle Solaris Zones to set up secure isolation environments for running Oracle Database 11g Release 2 and Oracle Database 12c multitenant environments. By design, Oracle Solaris Zones offer unique secure isolation capabilities by providing their own resource, namespace, and process isolation, which effectively and efficiently isolates different applications running on the same operating system and protects them from unintentional or malicious activities. By using Oracle Solaris Zones, you can easily deploy multiple database instances for tenants with negligible overhead, and you can easily isolate disk files, manage CPU resources, manage network bandwidth, and allocate memory for different users of the database servers.

Exercise 2: Exploring an Oracle Database 12c Multitenant Architecture (20 Minutes)

In this exercise, you will explore an Oracle Database 12c multitenant architecture. Several pluggable databases (PDBs) will be deployed in ZFS on isolated disks. Since data-file isolation is an important feature for a multitenant database, you will also learn how to use ZFS encryption to encrypt a data file, in order to prevent attacks that attempt to read sensitive information from storage without authentication

What Is the Oracle Database 12c Multitenant Architecture?

Designed for the cloud, Oracle Database 12c delivers a multitenant architecture that simplifies consolidation and delivers the high density of schema-based consolidation, without requiring changes to existing applications. The multitenant architecture provided by Oracle Database 12c offers all the benefits of managing many databases as one, yet retains the isolation and resource control of separate databases.

In this new architecture, a single multitenant container database (CDB) can host many "pluggable" databases (PDBs). Each database that is consolidated or "plugged in" to a multitenant container looks and feels to applications the same as existing Oracle databases look and feel. Accessing pluggable databases is the same as accessing existing Oracle databases, and administrators can control the prioritization of available resources among consolidated databases.

In this exercise, three pluggable databases (pdb11, pdb12, and pdb13) will be plugged in to a multitenant container database, cdb1, shown as Figure 3.

Figure 3. PDBs in a multitenant container called cdb1

Figure 3. PDBs in a multitenant container called cdb1

What Is Oracle Solaris ZFS?

Oracle Solaris ZFS is a revolutionary file system that changes the way file systems are administered, with features and benefits not found in any other file system available today. ZFS uses the concept of storage pools to manage physical storage, and it eliminates the concept of volumes and the associated problems of partitions, provisioning, and stranded storage by enabling thousands of file systems to draw from a common storage pool, using only as much space as actually needed.

ZFS is a combined file system and logical volume manager. The features of ZFS include protection against data corruption; support for high storage capacities; efficient data compression; integration of the concepts of file system and volume management; snapshots and copy-on-write clones; continuous integrity checking and automatic repair; and RAID-Z support.

Step 1: Start Up Oracle Database 12c in dbzone1

Note: If Oracle Database 12c was started in Exercise 1, please skip to "Step 2: Explore the CDB and the PDBs."

  1. Right-click the desktop and choose Open Terminal to bring up a terminal window.
  2. Type the following commands in the terminal window for dbzone1.

    labuser@hol9762:~$ su -
    Password: 
    
    root@hol9762:~# zlogin dbzone1
    root@dbzone1:~# su - oracle
    oracle@dbzone1:~$ lsnrctl start
    oracle@dbzone1:~$ sqlplus / as sysdba
    
    SQL*Plus: Release 12.1.0.1.0 Production on Wed Aug 20 18:55:40 2014
    
    Copyright (c) 1982, 2013, Oracle.  All rights reserved.
    Connected to an idle instance.
    
    SQL>
    
  3. Start up the database.

    SQL> startup
    ORACLE instance started.
    
    Total System Global Area  534462464 bytes
    Fixed Size		    2363136 bytes
    Variable Size		  264241408 bytes
    Database Buffers	  264241152 bytes
    Redo Buffers		    3616768 bytes
    Database mounted.
    Database opened.
    SQL>
    

Step 2: Explore the CDB and the PDBs

  1. In the terminal window for dbzone1, type the following commands.

    oracle@dbzone1:~$ sqlplus / as sysdba
    ...
    SQL> SHOW CON_NAME;
    
    CON_NAME
    ------------------------------
    CDB$ROOT
    SQL>         
    

    The result shows that you are now in the CDB root container.

  2. Type the following command to show how many PDBs are available.

    SQL> SHOW PDBS;
    
        CON_ID CON_NAME      OPEN MODE  RESTRICTED
    ---------- ------------------------------ ---------- ----------
        2      PDB$SEED      READ ONLY  NO
        3      PDB11         MOUNTED
    SQL>
    

    Note: PDB$SEED is a template PDB, which can be used to create other PDBs. pdb11 is a precreated PDB.

  3. If you want to use pdb11, you need to open it. Run the following command to open pdb11 and show its status.

    SQL> ALTER PLUGGABLE DATABASE pdb11 OPEN;    
    Pluggable database altered.
    SQL> SHOW PDBS;
        CON_ID CON_NAME        OPEN MODE  RESTRICTED
    ---------- ------------------------------ ---------- ----------
        2      PDB$SEED        READ ONLY  NO
        3      PDB11           READ WRITE NO
    

    Now pdb11 is ready for read and write operations.

    Exit SQL*Plus.

    SQL> EXIT;
    
  4. In the terminal window, run the following command to log in to pdb11.

    oracle@dbzone1:~$ sqlplus sys/solaris11@localhost:1521/pdb11 as sysdba
    
  5. Type the following command to check the current container and the status.

    SQL> SHOW CON_NAME;
    
    CON_NAME
    ------------------------------
    PDB11
    
    SQL> SHOW PDBS;
    
        CON_ID CON_NAME    OPEN MODE  RESTRICTED
    ---------- ------------------------------ ---------- ----------
        3      PDB11       READ WRITE NO
    
    SQL> SELECT name FROM v$datafile;
    NAME
    --------------------------------------------------------------------------------
    /u01/app/oracle/oradata/cdb1/undotbs01.dbf
    /u01/app/oracle/oradata/cdb1/pdb11/system01.dbf
    /u01/app/oracle/oradata/cdb1/pdb11/sysaux01.dbf
    /u01/app/oracle/oradata/cdb1/pdb11/pdb11_users01.dbf
    

    Exit SQL*Plus.

    SQL> EXIT;
    

Step 3: Create a New PDB with a Dedicated Disk

  1. In the terminal window for dbzone1, type the following commands to find extra disks in this zone.

    oracle@dbzone1:~$ zpool status
      pool: dbpool1
     state: ONLINE
      scan: none requested
    config:
    
       NAME      STATE     READ WRITE CKSUM
       dbpool1   ONLINE       0     0     0
       c2t2d0    ONLINE       0     0     0
    
    errors: No known data errors
    
      pool: dbpool2
     state: ONLINE
      scan: none requested
    config:
    
       NAME      STATE     READ WRITE CKSUM
       dbpool2   ONLINE       0     0     0
       c2t3d0    ONLINE       0     0     0
    
    errors: No known data errors
    
      pool: rpool
     state: ONLINE
      scan: none requested
    config:
    
       NAME      STATE     READ WRITE CKSUM
       rpool     ONLINE       0     0     0
       c2t0d0    ONLINE       0     0     0
    
    errors: No known data errors
    

    As you can see, there are two extra disks, c2t2d0 (mounted as dbpool1) and c2t3d0 (mounted as dbpool2).

  2. Connect to the database as sysdba.

    oracle@dbzone1:~$ sqlplus / as sysdba
    
  3. To create and open a new PDB named pdb12 in a dedicated disk named dbpool1, type the following commands.

    SQL> CREATE PLUGGABLE DATABASE pdb12 ADMIN USER PDB_ADMIN IDENTIFIED BY solaris11 
    FILE_NAME_CONVERT =('/u01/app/oracle/oradata/cdb1/pdbseed','/dbpool1');
    Pluggable database created.
    
    SQL> ALTER PLUGGABLE DATABASE pdb12 OPEN;
    Pluggable database altered.
    
  4. Create a tablespace named users in pdb12.

    SQL> ALTER SESSION SET CONTAINER=pdb12;
    Session altered.
    SQL> CREATE TABLESPACE users DATAFILE '/dbpool1/users.dbf' SIZE 20M AUTOEXTEND ON NEXT 1M SEGMENT 
    SPACE MANAGEMENT AUTO;
    
  5. Create a table and insert some records.

    SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER, 
    credit_card CHAR(16)) TABLESPACE users;
    SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
    SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
    SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
    SQL> SELECT * FROM employee;
    SQL> COMMIT;
    SQL> ALTER PLUGGABLE DATABASE pdb12 CLOSE;
    

Step 4: Create a New PDB in an Encrypted File System

In Oracle Database 12c, PDBs can provide data isolation by using separated disks and storage to store their own data. However, there are risks when the disks are stolen or maliciously accessed. If unauthorized people get the disks, they will be able to get the sensitive data, such as files and disk devices, directly from the OS level instead of from the database level. Some disk scan tools (such as dd) can be used to scan the whole disk to find sensitive information.

Therefore, data-at-rest protection must be presented in order to prevent the disclosure of sensitive data.

  1. In the terminal window, exit SQL*Plus, if you have not already exited it. Then type the following dd command to scan the tablespace file.

    SQL> EXIT;
    ...
    oracle@dbzone1:~$ dd if=/dbpool1/users.dbf | strings 
    

    You should get results like the following, which indicates unauthorized users can directly get the sensitive data from the tablespace files.

    ...
    chris
    5201237476346909,
    wang
    4380558852114471,
    gary
    wang
    6201345768476366
    ...
    

    Or, you can switch to the terminal window of the global zone (with root@hol9762), and then type the following command to scan the disk for sensitive information. (Note: It might take several minutes to get the results.)

    root@hol9762:~# dd if=/dev/dsk/c2t2d0 | strings | grep 52012374
    5201237476346909,
    4194304+0 records in
    4194304+0 records out
    
  2. ZFS encryption can be used to solve this problem. Switch to the terminal window for dbzone1, and create an encrypted file system by using the commands below.

    oracle@dbzone1:/$ sudo zfs create -o encryption=on dbpool2/protected
    Enter passphrase for 'dbpool2/protected': 
    Enter again:
    oracle@dbzone1:/$ sudo chown oracle:dba /dbpool2/protected
    
  3. Connect to the database as sysdba.

    oracle@dbzone1:~$ sqlplus / as sysdba
    
  4. To create and open a new PDB named pdb13 in this encrypted file system, type the following commands:

    SQL> CREATE PLUGGABLE DATABASE pdb13 ADMIN USER PDB_ADMIN IDENTIFIED BY solaris11 
    FILE_NAME_CONVERT =  ('/u01/app/oracle/oradata/cdb1/pdbseed','/dbpool2/protected');
    Pluggable database created.
    
    SQL> ALTER PLUGGABLE DATABASE pdb13 OPEN;
    Pluggable database altered.
    
  5. Create a tablespaces named users in pdb13.

    SQL> ALTER SESSION SET CONTAINER=pdb13;
    Session altered.
    SQL> CREATE TABLESPACE users DATAFILE '/dbpool2/protected/users.dbf' SIZE 20M AUTOEXTEND ON NEXT 
    1M SEGMENT SPACE MANAGEMENT AUTO;
    
  6. Create a table and insert some records:

    SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER, 
    credit_card CHAR(16)) TABLESPACE users;
    SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
    SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
    SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
    SQL> SELECT * FROM employee;
    SQL> COMMIT;
    SQL> ALTER PLUGGABLE DATABASE pdb13 CLOSE;
    
  7. Switch to the terminal window for the global zone (with prompt root@hol9762), and then type the following command to scan the disk for sensitive information. (Note: It might take several minutes to finish; you can do the next exercise while waiting for the result.)

    root@hol9762:~# dd if=/dev/dsk/c2t3d0 | strings | grep 52012374
    

    You won't succeed because the disk (c2t3d0) has been encrypted.

Summary

In this exercise, you created pluggable databases (PDBs) in Oracle Database 12c on an encrypted file system using ZFS encryption to ensure secure data at rest. Each of the PDBs was attached to a dedicated disk for secure isolation and resided on encrypted ZFS datasets for ensuring secure data at rest for all files.

Exercise 3: Using Transparent Data Encryption with the Oracle Solaris Cryptographic Framework (20 Minutes)

In this exercise, you will explore the Transparent Data Encryption feature of Oracle Advanced Security and learn how to transparently encrypt sensitive data stored in the tablespace, as shown in Figure 4. In addition, you will see how Oracle Database integrates with the Oracle Solaris Cryptographic Framework to manage the hardware-based Hardware Security Module (HSM) keystore in Oracle Solaris11.

Figure 4. Oracle Advanced Security Transparent Data Encryption (TDE)

Figure 4. Oracle Advanced Security Transparent Data Encryption (TDE)

What Is Transparent Data Encryption?

Transparent Data Encryption stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear-text data.

Out of the box, Transparent Data Encryption provides industry-standard strong encryption for the database, full key lifecycle management, and integrated support for Oracle Database tools and technologies. Transparent Data Encryption enables encryption of database columns or entire application tablespaces.

Transparent Data Encryption fully supports Oracle Multitenant.

What Is the Oracle Solaris Cryptographic Framework?

The Oracle Solaris Cryptographic Framework provides cryptographic services to users and applications through commands, a user-level programming interface, a kernel programming interface, and user-level and kernel-level frameworks. The Oracle Solaris Cryptographic Framework provides these cryptographic services to applications and kernel modules in a manner that is seamless to end users, and it brings direct cryptographic services to end users. The Oracle Solaris Cryptographic Framework provides a common store of algorithms and PKCS #11 libraries to handle cryptographic requirements.

What Is a Token?

A token is a PKCS#11 concept that represents the logical view of a cryptographic device. Sometimes a "token" is a "keystore." For example, Oracle's Sun Crypto Accelerator 6000 PCIe Card in a PCI slot is a token (a hardware token). An Oracle Solaris PKCS#11 softtoken is another example of a token.

What Is a Slot?

A slot is a PKCS#11 concept that represents a logical reader which potentially contains a token. For example, a hardware slot is a slot that is bound to and dedicated to a hardware device; a softtoken slot is a software cryptographic provider with an on-disk keystore.

What Is a Metaslot?

A metaslot is a new, additional slot for the Oracle Solaris Cryptographic Framework. It provides the virtual union of the capabilities of all other slots in the framework. Instead of having to deal with many slots, an application can simply choose the metaslot, which has access to the features of all the slots currently plugged in to the Oracle Solaris Cryptographic Framework. A metaslot also does the tedious work of managing sessions and objects on different slots, so an application can use the best slot for a particular mechanism without having to move objects and sessions back and forth. The metaslot behavior conforms to the PKCS#11 standard. Applications should treat a metaslot as if it were any PKCS#11 slot with normal PKCS#11 semantics.

Why Choose HSM to Integrate with PKCS#11?

Oracle Database 12c supports the use of a PKCS#11-based HSM keystore for Oracle Wallet. Using a PKCS#11 softtoken for Oracle Wallet secures the master key from duplication and copying during database and file system backups. If the database is deployed on a physical machine (such as on Oracle's SPARC T5 server) with a hardware cryptographic accelerator, PKCS#11 can seamlessly integrate the hardware cryptographic accelerator to make database encryption much faster.

Step 1: Configure a Metaslot to Use an Oracle Solaris PKCS#11 Softtoken

  1. Right-click the desktop and choose Open Terminal to bring up a terminal window.
  2. Log in to dbzone1, if you are not already logged in to it.

    labuser@hol9762:~$ su -
    Password:
    root@hol9762:~# zlogin dbzone1
    
  3. Configure a metaslot to use an Oracle Solaris PCKS#11 softtoken by default.

    root@dbzone1:~# cryptoadm enable metaslot token="Sun Software PKCS#11 Softtoken"
    
  4. Copy the Oracle Solaris libpkcs11.so file, which is needed by Oracle Database 12c, to the PKCS#11 library directory.

    root@dbzone1:~# mkdir -p /opt/oracle/extapi/64/hsm/sun/1.0.0/lib
    root@dbzone1:~# cp /usr/lib/64/libpkcs11.so /opt/oracle/extapi/64/hsm/sun/1.0.0/lib
    root@dbzone1:~# chown -R oracle:dba /opt/oracle
    

Step 2: Open the HSM-Based Keystore and Create an Encryption Key

  1. Change to the oracle user:

    root@dbzone1:/# su - oracle
    Oracle Corporation   SunOS 5.11   11.2   June 2014
    oracle@dbzone1:~$
    
  2. Set the passphrase for the Oracle Solaris PCKS#11 softtoken keystore. (The initial passphrase of the keystore is changeme.)

    oracle@dbzone1:~$ pktool setpin keystore=pkcs11
    Enter token passphrase:changeme
    Create new passphrase: solaris11
    Re-enter new passphrase: solaris11
    Passphrase changed. 
    
  3. In order to configure Transparent Data Encryption to use an Oracle Solaris PKCS#11 softtoken, you need to create an HSM to be used as an Oracle Wallet:

    Use vi to edit $ORACLE_HOME/network/admin/sqlnet.ora.

    oracle@dbzone1:~$ vi $ORACLE_HOME/network/admin/sqlnet.ora
    

    Add the following line to this file.

    ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=HSM))
    
  4. Start up the database, if it is not already started.
  5. You must open the hardware keystore so that it is accessible to the database before you can perform any encryption or decryption:

    Using the following commands, open the hardware keystore and create a Transparent Data Encryption encryption master key for the root container.

    oracle@dbzone1:~$ sqlplus / as sysdba
    SQL> startup
    ...
    SQL> SHOW CON_NAME;
    
    CON_NAME
    ------------------------------
    CDB$ROOT
    
    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "solaris11";
    keystore altered.
    
    SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "solaris11";
    keystore altered.
    
  6. Run the following commands to switch the container of the current session to pdb11, open pdb11 (if needed, open the hardware keystore, and create a Transparent Data Encryption encryption master key for pdb11.

    SQL> ALTER SESSION SET CONTAINER=pdb11;
    Session altered.
    
    SQL> ALTER PLUGGABLE DATABASE pdb11 OPEN;
    Pluggable database altered.
    
    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "solaris11";
    keystore altered.
    
    SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "solaris11";
    keystore altered.
    
  7. Check the hardware keystore status.

    SQL> SELECT WRL_TYPE, status FROM v$encryption_wallet;
    WRL_TYPE     STATUS
    -------------------- ------------------------------
    HSM          OPEN
    

Step 3: Use Transparent Data Encryption with an Encrypted Tablespace

  1. Create an encrypted tablespace in pdb11.

    SQL> CREATE TABLESPACE HsmSecuredTableSpace DATAFILE 
    '/u01/app/oracle/oradata/cdb1/pdb11/usershol.dbf' SIZE 20M ENCRYPTION DEFAULT STORAGE(ENCRYPT);
    
  2. Create a table in the encrypted tablespace, which automatically encrypts all data objects in it.

    SQL> CREATE TABLE employee(first_name VARCHAR2(32),last_name VARCHAR2(32),empID 
    NUMBER,credit_card CHAR(16)) TABLESPACE HsmSecuredTableSpace;
    
  3. Insert some data into the table.

    SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
    SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
    SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
    SQL> SELECT * FROM employee;
    SQL> COMMIT;
    SQL> ALTER PLUGGABLE DATABASE pdb11 CLOSE;
    SQL> EXIT;
    
  4. Use pktool to check the encryption keys created in the database.

    oracle@dbzone1:~$ pktool list objtype=both;
    Enter PIN for Sun Software PKCS#11 softtoken: 
    No.   Key Type     Key Len.  Key Label
    ----------------------------------------------------
    Symmetric keys:
    1)    AES                    ORACLE.TDE.HSM.MK.068FF2B9DF184B4FBCBF68185CB2A45687 (sensitive)
    2)    AES                    ORACLE.TDE.HSM.MK.06517EBB85AF554F9ABFB20C8F358F5FD0 (sensitive)
    
  5. Use dd to scan the database file. You won't be able to get any sensitive information.

    oracle@dbzone1:~$ dd if=/u01/app/oracle/oradata/cdb1/pdb11/usershol.dbf | strings
    

    Note: You can also create more Transparent Data Encryption master encryption keys for a future use of other PDBs. Please refer to the Oracle Database Advanced Security Guide for detailed information.

Summary

In this exercise, you integrated Oracle Database 12c with the Oracle Solaris Cryptographic Framework by leveraging an Oracle Solaris 11 softtoken as a hardware-based Hardware Security Module (HSM). Once it is deployed, Oracle Database 12c will automatically use SPARC T4 or SPARC T5 processor-based hardware assisted cryptography for both encryption and decryption operations involved with tablespace encryption, encrypted backups, restore, and encrypted dump files. Also, you tried the Oracle Database 12c Transparent Data Encryption feature of Oracle Advanced Security, and you learned about how to encrypt sensitive data using Transparent Data Encryption with an encrypted tablespace.

Conclusion

You have successfully completed the "Setting Up Database Protection and Multitenancy for Oracle Database 12c on Oracle Solaris 11" hands-on lab! During the lab, you explored the following isolation and encryption approaches for securing multitenancy when using Oracle Database 12c on Oracle Solaris 11: Oracle Solaris Zones, Oracle Database 12c pluggable databases (PDB), Oracle Advanced Security Transparent Data Encryption, and Oracle Solaris ZFS encryption. You also learned how Transparent Data Encryption works with the Oracle Solaris Cryptographic Framework.

Appendix A

dbzone1.config File

root@hol9762:/zones# more dbzone1.config 
create -b
set brand=solaris
set zonepath=/zones/dbzone1
set autoboot=false
set autoshutdown=shutdown
set pool=zonepool1
set ip-type=exclusive
add net
set configure-allowed-address=true
set physical=vnic1
end
add capped-memory
set physical=2G
end
add rootzpool
add storage dev:/dev/dsk/c2t0d0
end
add zpool
set name=dbpool1
add storage dev:/dev/dsk/c2t2d0
end
add zpool
set name=dbpool2
add storage dev:/dev/dsk/c2t3d0
end

dbzone2.config File

root@hol9762:/zones# more dbzone2.config 
create -b
set brand=solaris
set zonepath=/zones/dbzone2
set autoboot=false
set autoshutdown=shutdown
set ip-type=exclusive
add net
set configure-allowed-address=true
set physical=vnic2
end
add rootzpool
add storage dev:/dev/dsk/c2t1d0
end

See Also

About the Authors

Ramesh Nagappan is a senior principal engineer at Oracle, (and previously at Sun Microsystems). He works on security integration for the Oracle SuperCluster platform and is focused on cloud security, network and application security, and applied cryptography for applications, XML web services, and identity management technologies.

Yu Wang presently works for Oracle's ISV Engineering group as a principal software engineer. His duties include supporting local independent software vendors (ISVs) and evangelizing Oracle Solaris and Java technologies.

Xiaosong (Chris) Zhu is a senior software engineer working for Oracle's ISV Engineering group. She concentrates on Oracle Solaris and C/C++, and her duties include evangelizing Oracle Solaris and supporting local ISVs for determining how to best run C/C++ applications on Oracle Solaris and Oracle's SPARC servers.

Gang (Gary) Wang, manager of Oracle's ISV Engineering group, leads the ISV Engineering team in Beijing helping ISVs in China, Japan, and Korea to make their applications run best on Oracle Solaris, Oracle's servers, and Oracle's storage products.

Revision 1.0, 03/16/2015

Revision 1.1, 04/17/2015


Follow us:
Blog | Facebook | Twitter | YouTube