Database Reference
In-Depth Information
•
Ignore case has been deprecated
for password files so all passwords in the pwfile are case
sensitive by default.
•
Invoker's rights views
are nice to have for completeness, i.e., views have same privilege
choices as packages—invoker and definer.
•
Label security performance
has been increased by a factor of 10, reportedly, which is likely to
increase take up of this feature, though label security is dependent on the removal of privilege
escalations. As Chapter 10 shows, there are still privilege escalations in 12c.
•
Local registration of instance IPs
to listener to prevent remote registration of instances to
listener.
Security Features Not in 12c
It is also interesting to note which features did not make 12.1.0.1.0—firstly, SHA-2 passwords for authentication. The
11.2.0.3 documentation did include a reference to 12c SHA-2 database passwords in the DBA_USERS view, but SHA-2
for main DB account passwords has not made it into the first 12c release. In my view, this is not the end of the world.
I was much more concerned about TNS session encryption. There are a lot of identity-management systems for
databases that are currently sending ALTER USER password changes over the network in plain text. Also, the data that
is selected back may be credit card numbers and passwords, so session encryption at the transport layer, i.e., TCP/IP,
has been something that 12c has been edging towards and has been very much looked forward to. TCPS has been part
of ASO which is a costly option, so most folks don't use it currently. It was made FoC for RAC to listener connections
and is now free for 12c—but is not turned on by default. Turning it on is actually very easy, just requiring standard
openssl wallet creation and changing tcp to tcps in the listener. However, integrating that new TCPS service into the
Oracle architecture is another matter—e.g., cloud control and JDBC services do not fully support TCPS at this time.
It is reasonably easy to customize these services using Stunnel, but support and maintenance then move to
the customer.
Many of the features I've just described are implemented to mitigate long-standing flaws in Oracle's security
model. Chapter 9, coming next, goes into the details of those flaws and how the new features help resolve them.
