Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Oracle Database 12c Security Cookbook

You're reading from   Oracle Database 12c Security Cookbook Secure your Oracle Database 12c with this valuable Oracle support resource, featuring more than 100 solutions to the challenges of protecting your data

Arrow left icon
Product type Paperback
Published in Jun 2016
Publisher Packt
ISBN-13 9781782172123
Length 388 pages
Edition 1st Edition
Arrow right icon
Authors (3):
Arrow left icon
Zoran Pavlovic Zoran Pavlovic
Author Profile Icon Zoran Pavlovic
Zoran Pavlovic
Maja Veselica Maja Veselica
Author Profile Icon Maja Veselica
Maja Veselica
Maja Veselica & Zoran Pavlovic Maja Veselica & Zoran Pavlovic
Author Profile Icon Maja Veselica & Zoran Pavlovic
Maja Veselica & Zoran Pavlovic
Arrow right icon
View More author details
Toc

Table of Contents (13) Chapters Close

Preface 1. Basic Database Security FREE CHAPTER 2. Security Considerations in Multitenant Environment 3. PL/SQL Security 4. Virtual Private Database 5. Data Redaction 6. Transparent Sensitive Data Protection 7. Privilege Analysis 8. Transparent Data Encryption 9. Database Vault 10. Unified Auditing 11. Additional Topics 12. Appendix – Application Contexts

The syskm privilege – how, when, and why should you use it?

It is recommended that you use the syskm administrative privilege instead of the sysdba administrative privilege to perform operations related to managing the transparent data encryption (TDE) keystore.

Getting ready

For this recipe, you'll need:

  • An existing database user (for example, jessica) and a password file in the 12c format, if you want to complete it using a password-authenticated user
  • An existing OS user (for example, bob), who belongs to the kmdba OS group, in order to connect to the database using OS authentication

How to do it...

Instructions are split into sections for database authentication and OS authentication.

Database authentication

The instructions for database authentication are as follows:

  1. Connect to the database as sysdba (or another user that can grant the syskm privilege):
    sqlplus / as sysdba
    
  2. Grant the syskm privilege to user jessica:
    grant syskm to jessica; 
    
  3. Connect user jessica to the database as syskm:
    SQL> connect jessica/oracle_1 as syskm
    
  4. View privileges:
    SQL> select * from user_tab_privs;
    SQL> select * from session_privs;
    

OS authentication

The instructions for OS authentication are as follows:

  1. Verify that an OS user (for example, bob) is a member of the kmdba OS group.
    $ id bob
    
  2. Connect to the database using syskm privilege:
    $ sqlplus / as syskm
    

How it works...

When you connect to the database as syskm, you are connected as a predefined user, syskm. Using the syskm privilege, you can connect to the database even when it is not open.

In most circumstances when using TDE, you don't have to have syskm administrative privilege. For a more detailed discussion about TDE operations and which privileges users need, see recipes in Chapter 8, Transparent Data Encryption.

In the Database authentication section after completing step 3, you can perform operations related to managing the TDE keystore. Step 4 is not necessary and its sole purpose is to show you which privileges you can use when connected as syskm. These privileges are:

  • ADMINISTER KEY MANAGEMENT
  • CREATE SESSION
  • SELECT on V$ (and GV$) views:
    • SYS.V$ENCRYPTED_TABLESPACES
    • SYS.V$ENCRYPTION_WALLET
    • SYS.V$WALLET
    • SYS.V$ENCRYPTION_KEYS
    • SYS.V$CLIENT_SECRETS
    • SYS.DBA_ENCRYPTION_KEY_USAGE
    • SYS.DATABASE_KEY_INFO

Tip

It is important for you to remember that: When using syskm privilege, you can't view the application data.

There's more...

You can't drop user syskm. When you are connected to the database as syskm, you are connected as the syskm user to SYS schema:

SQL> connect / as syskm
Connected.

SQL> show user
USER is "SYSKM"

SQL> select sys_context( 'userenv', 'current_schema' ) from dual;
SYS_CONTEXT('USERENV','CURRENT_SCHEMA')
---------------------------------------
SYS

See also

  • Creating password-authenticated users
  • Creating and using OS-authenticated users
  • Chapter 8, Transparent Data Encryption
You have been reading a chapter from
Oracle Database 12c Security Cookbook
Published in: Jun 2016
Publisher: Packt
ISBN-13: 9781782172123
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime