Videos: Oracle Database 11gR2 Security Course

Oracle Database 11g: Security Release 2

I would like to share my last oracle database security course, you can download and enjoy.

Asking Allah to accept it and people get benefit from that.

Course Objectives

• Use basic Oracle Database security features
• Choose a user authentication model
• Secure the database and the listeners
• Use the Enterprise Security Manager tool
• Manage users using proxy authentication
• Implement Enterprise User Security
• Describe the benefits and requirements associated with the Oracle Advanced Security option
• Manage secure application roles
• Implement fine-grained access control
• Manage Virtual Private Database
• Implement fine-grained auditing
• Use Transparent Data Encryption
• Use file encryption
• Encrypt and decrypt table columns
• Set up Oracle Label Security policies

Course Contents :

5 Videos cover course from chapter 2 to 21

zip file contains practice scripts that used in course and some documents that help you to go in-depth.

URL : Oracle Database 11gR2 Security
YouTube:  http://www.youtube.com/playlist?list=PLbybFqHGEZ9FvFKjn3pkTsO0pA0XrjWos

Note: Course in Arabic 

Thanks,
Ahmed Fathi

Oracle Transparent Data Encryption

Oracle Transparent Data Encryption Installation

Oracle TDE is available by default in Oracle RDBMS Enteprise Edition. To be able to use this it is necessary to purchase an Oracle Advanced Security license.
Oracle Transparent Data Encryption Configuration and Administration

To start using TDE the following operations have to be performed:

1) Make sure that the wallet location exists. If a non default wallet location must be used then specify it in the sqlnet.ora file :

ENCRYPTION_WALLET_LOCATION =
   (SOURCE = (METHOD = FILE)
     (METHOD_DATA =
      (DIRECTORY = /u01/app/oracle/wallet)
     )
   )

Note: The default encryption wallet location is $ORACLE_BASE/admin/<global_db_name>/wallet. If you want to let Oracle manage a wallet in the default location then there is no need to set the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora.

2) Generate a master key:
alter system set encryption key identified by "wallet_password";

This command will do the following:

A) If there is no wallet currently in the wallet location then a new wallet with the password "wallet_password" will be generated. The password is enclosed in double quotes to preserve the case of the characters. If the double quotes are not used then the characters of the password will be all in upper case. This command will also cause the new wallet to be opened and ready for use.

Comment: This is the only valid way of creating a new wallet for TDE, you may not use oracle wallet manager or command line tool orapki to create the TDE wallet for the first time!

B) A new master key will be generated and will be written to the wallet. This newly generated master key will become the active master key. The old master keys (if there were any) will still be kept in the wallet but they will not be active. They are kept there to be used when decrypting data that was previously encrypted using them.


To see the status of an wallet run the following query:
SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u01/app/oracle/admin/ORCL/wallet
OPEN


3) Enable encryption for a column or for an entire tablespace:

3.1) Create a table by specifying the encrypt option:

create table test(col1 number, col2 varchar2(100) encrypt using 'AES256' NO SALT);

SET LINESIZE 100
COLUMN owner FORMAT A15
COLUMN tble_name FORMAT A15
COLUMN column_name FORMAT A15

SELECT * FROM dba_encrypted_columns;


3.2) Encrypt the column(s) of an existing table:

alter table test modify( col2 encrypt SALT);

3.3) Create an encrypted tablespace :

CREATE TABLESPACE encryptedtbs
DATAFILE '/u01/app/oracle/oradata/ORCL/encryptedtbs01.dbf' SIZE 100M
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);

SELECT tablespace_name, encrypted FROM dba_tablespaces;

Note: An existing  non encrypted tablespace cannot be encrypted. If you must encrypt the data from an entire tablespace then create a new encrypted tablespace and then move the data from the old tablespace to the new one

Wallets must be reopened after an instance restart and can be closed to prevent access to encrypted data.

    ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "myPassword";
    ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;
   
 Database Startup

The following text shows the impact of stopping and starting the database on an encrypted tablespace. Notice how the wallet must be opened before the data is accessible.

    SQL>CONN / AS SYSDBA
    Connected.
    SQL> SHUTDOWN IMMEDIATE;
    Database closed.
    Database dismounted.
    ORACLE instance shut down.
    SQL> STARTUP
    ORACLE instance started.

    Total System Global Area  626327552 bytes
    Fixed Size                  2255832 bytes
    Variable Size             234882088 bytes
    Database Buffers          381681664 bytes
    Redo Buffers                7507968 bytes
    Database mounted.
    Database opened.
    SQL> SELECT tablespace_name, encrypted, status FROM dba_tablespaces;

    TABLESPACE_NAME                ENC STATUS
    ------------------------------ --- ---------
    SYSTEM                         NO  ONLINE
    SYSAUX                         NO  ONLINE
    UNDOTBS1                       NO  ONLINE
    TEMP                           NO  ONLINE
    USERS                          NO  ONLINE
    EXAMPLE                        NO  ONLINE
    SOE                            NO  ONLINE
    ENCRYPTED_TS                   YES ONLINE

    8 rows selected.

    SQL> SELECT * FROM test.ets_test;
    select * from test.ets_test
                       *
    ERROR at line 1:
    ORA-28365: wallet is not open

    SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "myPassword";

    System altered.

    sys@db11g> select * from test.ets_test;

            ID DATA
    ---------- --------------------------------------------------
             1 This is a secret!

    1 row selected.

    SQL>

Verify Transparent Data Encryption (TDE)

Create an encrypted tablespace :

CREATE TABLESPACE data DATAFILE '/u01/app/oracle/oradata/ORCL/data01.dbf' SIZE 10M ENCRYPTION USING 'AES256' DEFAULT STORAGE(ENCRYPT);

First check which tablespaces are encrypted and which ones are not:

SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces;

TABLESPACE_NAME ENC
------------------------------ ---
SYSTEM NO
SYSAUX NO
UNDOTBS1 NO
TEMP NO
USERS NO
EXAMPLE NO
DATA YES

Then find the associated datafiles on the filesystem:

SQL> select TABLESPACE_NAME, FILE_NAME from dba_data_files where TABLESPACE_NAME in ('USERS','DATA');

TABLESPACE_NAME
------------------------------
FILE_NAME
--------------------------------------------------------------------------------
USERS
/u01/oradata/v1120/users01.dbf

DATA
/u01/oradata/v1120/data01.dbf

Create a test table in the unencrypted USERS tablespace and put a known string value in it:

SQL> create table scott.test(data varchar2(100)) tablespace users;

Table created.

SQL> insert into scott.test values ('ABCDEFGHIJKLMNOPQRSTUVWZYZ');

1 row created.

SQL> commit;

Commit complete.


Repeat the same but now put a table in the encrypted tablespace (it incidently shows the wallet needs to be open to be able to store data in the encrypted tablespsace):

SQL> create table scott.test_encrypted(data varchar2(100)) tablespace data;

Table created.

SQL> insert into scott.test_encrypted values ('ABCDEFGHIJKLMNOPQRSTUVWZYZ');
insert into scott.test_encrypted values ('ABCDEFGHIJKLMNOPQRSTUVWZYZ')
  *
ERROR at line 1:
ORA-28365: wallet is not open

SQL> alter system set wallet open identified by "welcome1";
System altered.

SQL> insert into scott.test_encrypted values ('ABCDEFGHIJKLMNOPQRSTUVWZYZ');
1 row created.

SQL> commit;
Commit complete.

Make sure all changes are flushed to disk, otherwise the data may not be written do the datafiles when performing the subsequent check:

SQL> alter system checkpoint;

System altered.

Now use the OS 'strings' command to determine whether the string value inserted in the table is 'visible':

SQL> !strings /u01/oradata/v1120/users01.dbf | grep ABCDEF
ABCDEFGHIJKLMNOPQRSTUVWZYZ

SQL> !strings /u01/oradata/v1120/data01.dbf | grep ABCDEF

<no output>

Oracle Label Security

Oracle Label Security
======================
Labels and policy enforcement depend on the factors explained in the following sections:

Data Labels
Label Authorizations
Policy Privileges
Policy Enforcement Options

Data Labels
---------------
In Oracle Label Security, each row of a table can be labeled based on its level of confidentiality. Every label contains three components:

a single level (sensitivity) ranking
zero or more horizontal compartments or categories
zero or more hierarchical groups

A label can be any one of the following four combinations of components:

a single level component, with no groups or compartments, such as U::
a level and a set of compartments with no groups, such as U:Alpha, Beta:
a level and a set of groups with no compartments, such as U::FIN, ASIA
a level with both compartments and groups, such as U:Beta, Psi:ASIA, FIN

Label Authorizations
-----------------------
Users can be granted label authorizations that determine the kind of access (read or write) they have to the rows that are labeled. When a label has been applied to a

row, only users authorized for access to that label can see it or possibly change it. No user can access or affect rows for which that user lacks necessary

authorization. If a row has multiple labels, then a user must have the required authorizations for each such label to see or alter that row.

Policy Privileges
------------------
Policy privileges enable a user or stored program unit to bypass some aspects of the label-based access control policy

Policy Enforcement Options
----------------------------
In Oracle Label Security, administrators or application developers can apply different policy enforcement options for maximum flexibility in controlling the DML operations users can perform.

Summary: Four Aspects of Label-Based Row Access
-------------------------------------------------
When label-based access is enforced within a protected table, access to a row requires a user's label to meet certain criteria determined by policy definitions. These

access controls act as a secondary access mediation check, after the discretionary access controls implemented by the application developers.

In summary, Oracle Label Security provides four aspects of label-based access control:

A user's label indicates the information that a user is permitted to access, and determines the type of access (read or write) the user is allowed to perform.

A row's label indicates the sensitivity of the information that the row contains, and can also indicate its ownership and its affiliation with similar data.

A user's policy privileges can enable bypassing some aspects of a label-based access control policy.

A table's policy enforcement options determine various aspects of how access controls are enforced for read and write operations.

Label Components
------------------
Sensitivity Label Components

Component                        Description                                          Examples   
Level          A single specification of the labeled data's           CONFIDENTIAL (1), SENSITIVE (2), HIGHLY_SENSITIVE (3)
               sensitivity within the ordered ranks established

Compartments   Zero or more categories associated with the labeled data      FINANCIAL, STRATEGIC, NUCLEAR

Groups        Zero or more identifiers for organizations owning or accessing the data   EASTERN_REGION, WESTERN_REGION

Creating Policies
====================
PROCEDURE CREATE_POLICY (
policy_name IN VARCHAR2,
column_name IN VARCHAR2 DEFAULT NULL,
default_options IN VARCHAR2 DEFAULT NULL);

BEGIN
SA_SYSDBA.CREATE_POLICY(
POLICY_NAME =>'FACILITY',
COLUMN_NAME => 'FACLAB',
DEFAULT_OPTIONS =>'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
END;

Creating Levels
==================
PROCEDURE CREATE_LEVEL (
policy_name IN VARCHAR2,
level_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2);

BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '100',
SHORT_NAME => 'P',
LONG_NAME => 'PUBLIC');
END;
/

BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '200',
SHORT_NAME => 'C',
LONG_NAME => 'CONFIDENTIAL');
END;
/

BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '300',
SHORT_NAME => 'S',
LONG_NAME => 'SENSITIVE');
END;
/

BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '400',
SHORT_NAME => 'HS',
LONG_NAME => 'HIGHLY_SENSITIVE');
END;
/

Creating Groups
==================
PROCEDURE CREATE_GROUP (
policy_name IN VARCHAR2,
group_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2,
parent_name IN VARCHAR2 DEFAULT NULL);

BEGIN
SA_COMPONENTS.CREATE_GROUP(
POLICY_NAME =>'FACILITY',
GROUP_NUM => '1000',
SHORT_NAME => 'WR_SAL',
LONG_NAME => 'WR_SALES',
PARENT_NAME => 'WR');
END;

BEGIN
SA_COMPONENTS.CREATE_GROUP('FACILITY',1000,'WR','WESTERN_REGION');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1100,'WR_SAL','WR_SALES','WR');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1200,'WR_FIN','WR_FINANCE','WR');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1210,'WR_AP','WR_ACCT_PAYABLE','WR_FIN');
END;
/

Defining Compartments
======================
PROCEDURE CREATE_COMPARTMENT (
policy_name IN VARCHAR2,
comp_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2);

BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_NAME =>'FACILITY',
COMP_NUM => '85',
SHORT_NAME => 'FIN',
LONG_NAME => 'Financial');
END;
/

BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_NAME =>'FACILITY',
COMP_NUM => '65',
SHORT_NAME => 'CH',
LONG_NAME => 'Chemical');
END;
/

BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_NAME =>'FACILITY',
COMP_NUM => '45',
SHORT_NAME => 'OP',
LONG_NAME => 'Operations');
END;
/

Creating Data Labels
======================
the administrator might create valid labels such as these:

SENSITIVE:FINANCIAL,CHEMICAL:EASTERN_REGION,WESTERN_REGION
CONFIDENTIAL:FINANCIAL:VP_GRP
SENSITIVE
HIGHLY_SENSITIVE:FINANCIAL
SENSITIVE::WESTERN_REGION

Syntax
PROCEDURE CREATE_LABEL (
policy_name IN VARCHAR2,
label_tag IN INTEGER,
label_value IN VARCHAR2,
data_label IN BOOLEAN DEFAULT TRUE);

Example:

BEGIN
SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',1000,'P');
SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',2101,'S::WR_FIN');
SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',3101,'HS::WR');
END;

Assigning User Authorization Labels
======================================
Syntax
PROCEDURE SET_USER_LABELS (
policy_name IN VARCHAR2,
user_name IN VARCHAR2,
max_read_label IN VARCHAR2,
max_write_label IN VARCHAR2 DEFAULT NULL,
min_write_label IN VARCHAR2 DEFAULT NULL,
def_label IN VARCHAR2 DEFAULT NULL,
row_label IN VARCHAR2 DEFAULT NULL);

max_read_label: Specifies the label string to be used to initialize the user’s maximum
authorized read label. Composed of the user’s maximum level. Compartments authorized for
read access, and groups authorized for read access

max_write_label: Specifies the label string to be used to initialize the user’s maximum
authorized write label. Composed of the user’s maximum level. Compartments authorized for
write access, and groups authorized for write access. If max_write_label is not specified, it
is set to max_read_label.

min_write_label: Specifies the label string to be used to initialize the user’s minimum
authorized write label. Contains only the level, with no compartments or groups. If
min_write_label is not specified, it is set to the lowest defined level for the policy, with no
compartments or groups.

def_label: Specifies the label string to be used to initialize the user’s session label, including
level, compartments, and groups (a subset of max_read_label). If default_label is not
specified, it is set to max_read_label.

policy_name: Specifies the policy

user_name: Specifies the username

row_label: Specifies the label string to be used to initialize the program’s row label. Includes
level, components, and groups: subsets of max_write_label and def_label. If row_label is not specified, it is set to def_label, with only the compartments and groups
authorized for write access.

BEGIN
SA_USER_ADMIN.SET_USER_LABELS (
POLICY_NAME =>'FACILITY',
USER_NAME => 'scott',
MAX_READ_LABEL =>'S::WR_FIN');
END;

Applying the Policy to a Table
================================

• Add the FACILITY policy to the LOCATIONS table.
• TABLE_OPTION => NULL implies that the policy default options are used.

PROCEDURE APPLY_TABLE_POLICY (
policy_name IN VARCHAR2,
schema_name IN VARCHAR2,
table_name IN VARCHAR2,
table_options IN VARCHAR2 DEFAULT NULL,
label_function IN VARCHAR2 DEFAULT NULL,
predicate IN VARCHAR2 DEFAULT NULL);


BEGIN
SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
POLICY_NAME => 'FACILITY',
SCHEMA_NAME => 'HR',
TABLE_NAME => 'EMPLOYEES',
TABLE_OPTIONS => NULL,
LABEL_FUNCTION => NULL);
END;
/

SQL> DESC HR.EMPLOYEES
 Name                       Null?    Type
 ----------------------------------------- -------- ----------------------------
 EMPLOYEE_ID                   NOT NULL NUMBER(6)
 FIRST_NAME                        VARCHAR2(20)
 LAST_NAME                   NOT NULL VARCHAR2(25)
 EMAIL                       NOT NULL VARCHAR2(25)
 PHONE_NUMBER                        VARCHAR2(20)
 HIRE_DATE                   NOT NULL DATE
 JOB_ID                    NOT NULL VARCHAR2(10)
 SALARY                         NUMBER(8,2)
 COMMISSION_PCT                     NUMBER(2,2)
 MANAGER_ID                        NUMBER(6)
 DEPARTMENT_ID                        NUMBER(4)

SQL> UPDATE HR.EMPLOYEES SET FACLAB='3101';

27 rows updated.

SQL> COMMIT;

Commit complete.

SQL>
SQL>
SQL> SELECT FACLAB FROM HR.EMPLOYEES

    FACLAB
----------
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101
      3101

27 rows selected.

SQL> SELECT LABEL_TO_CHAR(3101) FROM  DUAL;

LABEL_TO_CHAR(3101)
---------------------------------------------
HS::WR

SQL> SELECT CHAR_TO_LABEL('FACILITY','HS::WR') FROM  DUAL;

CHAR_TO_LABEL('FACILITY','HS::WR')
----------------------------------
                              3101

SQL> UPDATE HR.EMPLOYEES SET FACLAB='2101' WHERE MANAGER_ID=146;

6 rows updated.

SQL> COMMIT;

Commit complete.

SQL> SELECT LABEL_TO_CHAR(FACLAB) FROM  HR.EMPLOYEES;

LABEL_TO_CHAR(FACLAB)
------------------------------------------------------------------------
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
S::WR_FIN
S::WR_FIN
S::WR_FIN
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR

27 rows selected.

SQL> grant select on HR.EMPLOYEES  to scott;

SQL> CONN SCOTT/TIGER;
Connected.
SQL> SELECT LABEL_TO_CHAR(FACLAB) FROM  HR.EMPLOYEES ;

LABEL_TO_CHAR(FACLAB)
----------------------------------------------------------
S::WR_FIN
S::WR_FIN
S::WR_FIN

SQL> SELECT COUNT(*) FROM HR.EMPLOYEES ;

  COUNT(*)
----------
         3

SQL> Select SA_SESSION.LABEL('FACILITY') FROM DUAL;

SA_SESSION.LABEL('FACILITY')
---------------------------------------------------
S::WR_FIN,WR_AP


Converting a Character String to a Label Tag, with CHAR_TO_LABEL
====================================================================
Use the CHAR_TO_LABEL function to convert a character string to a label tag. This function returns the label tag for the specified character string.

Syntax:
FUNCTION CHAR_TO_LABEL (
     policy_name     IN VARCHAR2,
     label_string    IN VARCHAR2)
RETURN NUMBER;

Example:

INSERT INTO emp (empno,hr_label)
VALUES (999, CHAR_TO_LABEL('HR','S:A,B:G5');

Here, HR is the label policy name, S is a sensitivity level, A,B compartments, and G5 a group

Converting a Label Tag to a Character String, with LABEL_TO_CHAR
==================================================================
When you query a table or view, you automatically retrieve all of the rows in the table or view that satisfy the qualifications of the query and are dominated by your label. If the policy label column is not hidden, then the label tag value for each row is displayed. You must use the LABEL_TO_CHAR function to display the character string value of each label.

Note that all conversions must be explicit. There is no automatic casting to and from tag and character string representations.

Syntax:

FUNCTION LABEL_TO_CHAR (label IN NUMBER)
RETURN VARCHAR2;

Inserting Labeled Data
===========================
When you insert data into a table protected by a policy under Oracle Label Security, a numeric label value tag must be supplied, usually in the INSERT statement itself.  To do this, you must explicitly specify the tag for the desired label or explicitly convert the character string representation of the label into the correct tag. Note that this does not mean generating new label tags, but referencing the correct tag. When Oracle Label Security is using Oracle Internet Directory, the only permissible labels (and corresponding tags) are those pre-defined by the administrator and already in Oracle Internet Directory.

The only times an INSERT statement may omit a label value are:

1.if the LABEL_DEFAULT enforcement option was specified when the policy was applied, or

2.if no enforcement options were specified when the policy was applied and LABEL_DEFAULT was specified when the policy was created, or

3.if the statement applying the policy named a labeling function.
In cases 1 and 2, the user's session default row label is used as the inserted row's label. In case 3, the inserted row's label is created by that labeling function.

Policy Enforcement Options
============================
Access-control enforcement controls read and write access to the data. The policies can be set for each type of data manipulation language (DML):

• READ_CONTROL enforces the policy for all queries, controlling which data rows are accessible for SELECT, UPDATE, and DELETE. If READ_CONTROL is OFF on a policy, then

for any table protected by the policy, all rows are accessible to all users.

• WRITE_CONTROL determines the ability to insert, update, and delete data in a row. If this option is active, it enforces INSERT_CONTROL, UPDATE_CONTROL, and

DELETE_CONTROL. You can apply INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL separately.

Label-management enforcement ensures that data labels written for inserted or updated rows do not violate policies set for such labels:

• LABEL_DEFAULT uses the session’s default row label value unless the user explicitly specifies a label on INSERT.

• LABEL_UPDATE applies policy enforcement to the UPDATE operations that set or change the value of a label attached to a row. The WRITEUP, WRITEDOWN, and WRITEACROSS

privileges are only enforced if the LABEL_UPDATE option is active. Note that any label function that is in force overrides the LABEL_UPDATE option.

• CHECK_CONTROL applies the READ_CONTROL policy enforcement to the INSERT and UPDATE statements to ensure that the new row label is read-accessible by the user that is changing the label.

Options to override enforcement can suspend or apply all other enforcement options:

• ALL_CONTROL applies all enforcement options.

• NO_CONTROL applies no enforcement options. A labeling function or a SQL predicate can still be applied. In the absence of a label function, data rows that are

inserted do not have a label. If enforcement options are later turned on, the unlabeled rows are not visible unless  the user has the READ or FULL access authorization.

Oracle Label Security Privileges
===================================

READ             Allows read access to all data protected by the policy

FULL             Allows full read and write access to all data protected by the policy

COMPACCESS       Allows a session access to data authorized by the row's compartments, independent of the row's groups

PROFILE_ACCESS   Allows a session to change its labels and privileges to those of a different user
 
WRITEUP          Allows users to set or raise only the level, within a row label, up to the maximum level authorized
                 for the user. (Active only if LABEL_UPDATE is active.)

WRITEDOWN        Allows users to set or lower the level, within a row label, to any level equal to or greater than
                 the minimum level authorized for the user. (Active only if LABEL_UPDATE is active.)

WRITEACROSS      Allows a user to set or change groups and compartments of a row label, but does not allow changes to
                 the level. (Active only if LABEL_UPDATE is active.)

execute SA_USER_ADMIN.SET_USER_PRIVS ('ACCESS_LOCATIONS','HR','FULL');

Configure Oracle Label Security 11gR2

If you are trying to use label security in 11gR2 on Linux, you will probably have to relink Oracle with the following command to see the option in the DBCA.

$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk lbac_on ioracle

Configure Instance

Once Oracle Label Security option has been installed on the server it can be added to an instance as follows.
• Start the Database Configuration Assistant (DBCA).
• On the Welcome screen click the Next button.
• On the Operations screen select the "Configure database options in a database" option and click the Next button.
• On the Databases screen select the relevant instance and click the Next button.
• On the Database Features screen select the Oracle Label Security option and click the Next button.
 •Click the Finish button.
• Popup screens will appear to tell you what operations will be performed and that the database must be restarted once complete. Click the OK button on these popups.
• Once complete exit the DBCA and stop and start your instance.

Secure Application Roles

Secure Application Roles
------------------------

Step 1. Defi ne the view and grant privileges. Any user involved in the application should have
SELECT privileges on the view because all logons need to lookup their name in the table:

SQL> create user blake identified by blake;

User created.

SQL> create user james identified by james;

User created.

SQL> grant connect to blake,james;

Grant succeeded.

SQL> grant create view to scott;

Grant succeeded.

SQL> connect scott
Enter password:
Connected.

SQL> create view emp_job as (select ename, job from emp);

View created.

SQL> grant select on emp_job to blake;

Grant succeeded.

SQL> grant select on emp_job to james;

Grant succeeded.

Make sure that a user only has privileges to the view but not the table:

SQL> connect blake
Enter password:
Connected.
SQL> select count(*) from scott.emp_job;

  COUNT(*)
----------
        14

SQL> select * from scott.emp;
select * from scott.emp
                    *
ERROR at line 1:
ORA-00942: table or view does not exist

Step 2. Create the secure application role and grant it the appropriate object privileges:

SQL>  create role manager_role identified using access_control_policy;

Role created.

SQL> grant select on scott.emp to manager_role;

Grant succeeded.

Note that you’re not granting the role to any user—the package will do that. If a user tries to set the role they will fail—only the procedure will be able to set it:

SQL> set role manager_role;
set role manager_role
*
ERROR at line 1:
ORA-28201: Not enough privileges to enable application role 'MANAGER_ROLE'


Step 3. Build the procedure that assigns the role. Th e procedure looks up the currently logged on user and looks it up in the emp_job view. If it is a manager it sets the role thereby granting privileges to access the table:

create or replace PROCEDURE access_control_policy
authid current_user
AS
v_user varchar2(50);
v_job varchar2(50);
BEGIN
-- get the user from the context
v_user := lower( (sys_context ('userenv','session_user')));
-- get the job description
select job into v_job from scott.emp_job where lower(ename) = v_user;
-- if we're a manager then set the role
if v_job = 'MANAGER' then
DBMS_SESSION.SET_ROLE('manager_role');
else null;
end if;
END access_control_policy;
/

Procedure created.

Step 4. Grant execute privileges to the appropriate users, e.g.,

SQL> grant execute on access_control_policy to blake;

Grant succeeded.

SQL> grant execute on access_control_policy to james;

Grant succeeded.

Step 5. Test manually by invoking the procedure from your session. Blake should be able to access EMP while James should not, due to the contents of emp_job:

SQL> conn scott/scott
Connected.

SQL> select * from emp_job;
ENAME JOB
---------- ---------
…
BLAKE MANAGER
…
JAMES CLERK
…

SQL> connect blake
Enter password:
Connected.
SQL> exec sys.access_control_policy;

PL/SQL procedure successfully completed.

SQL> select * from session_roles;

ROLE
------------------------------
MANAGER_ROLE

SQL> select max(sal) from scott.emp;

  MAX(SAL)
----------
      5030

SQL> connect james
Enter password:
Connected.
SQL> exec sys.access_control_policy;

PL/SQL procedure successfully completed.

SQL> select * from session_roles;

ROLE
------------------------------
CONNECT

SQL> select max(sal) from scott.emp;
select max(sal) from scott.emp
                           *
ERROR at line 1:
ORA-00942: table or view does not exist

Finally, you can now create a log-on trigger that will execute the procedure and thus set the role as soon as the user logs in. To view which package/procedure controls the secure application role:

SQL>  select * from dba_application_roles;

ROLE                           SCHEMA     PACKAGE
------------------------------ ---------- ------------------------------
MANAGER_ROLE                   SYS        ACCESS_CONTROL_POLICY

Oracle External Secure Password Store

External Secure Password Store
================================

Use the mkstore command:

•  Create the wallet:

mkdir /u01/app/oraclel/wallets

mkstore -wrl <wallet_location> -create

mkstore -wrl /u01/app/oraclel/wallets -create

•  Add credentials to the wallet:

$ mkstore -wrl /u01/app/oraclel/wallets -create
Enter password: <wallet_password>
Enter password again: <wallet_password>

mkstore -wrl /u01/app/oracle/client_wallets -createCredential dev hr hr

Configure sqlnet.ora
=====================
Set the following in sqlnet.ora:
• WALLET_LOCATION
• SQLNET.WALLET_OVERRIDE

WALLET_LOCATION =
  (SOURCE=
   (METHOD=File)
    (METHOD_DATA=
     (DIRECTORY=/u01/app/oraclel/wallets)))

SQLNET.WALLET_OVERRIDE = TRUE

Managing the External Password Store
=====================================

To list the contents of the external password store, enter the following command at the command line:
mkstore -wrl <wallet_location> -listCredential

To add database login credentials to an existing client wallet, enter the following command:

mkstore -wrl <wallet_location> -createCredential <db_alias> <username> <password>

To modify database login credentials, enter the following command:

mkstore -wrl <wallet_location> -modifyCredential <dbase_alias> <username> <password>

To delete database login credentials, enter the following command:

mkstore -wrl <wallet_location> -deleteCredential <db_alias>

Oracle Database Strong Authentication (certificate)

1) Create and configure the server wallet

Create an empty server wallet:

$> mkdir /u01/app/oracle/server_wallet
$> cd /u01/app/oracle/server_wallet
$> orapki wallet create -wallet /u01/app/oracle/server_wallet -auto_login -pwd welcome1

After running the above command the following two files will be created in the directory:

$> ls -la /u01/app/oracle/server_wallet

-rw------- 1 oracle oinstall 3589 May  4 11:53 cwallet.sso
-rw------- 1 oracle oinstall 3512 May  4 11:53 ewallet.p12

Create server's self signed certificate:

$> orapki wallet add -wallet /u01/app/oracle/server_wallet -dn "CN=server" -keysize 512 -self_signed -validity 365 -pwd welcome1

2) Create and configure the client wallet

Create an empty wallet for the client(into a new directory) :

$> mkdir /u01/app/oracle/client_wallet
$> cd /u01/app/oracle/client_wallet
$> orapki wallet create -wallet /u01/app/oracle/client_wallet -auto_login -pwd welcome2

Note:  We used the -auto_login option to make sure that we are able to move the cwallet.sso file to other machines. If the client is running on the same machine as the server then you can use the -auto_login_local

The next step is to create a certificate request :

orapki wallet add -wallet . -dn "CN=client,O=oracle,C=ro" -keysize 1024 -pwd "Welcome2"
orapki wallet export -wallet . -dn "CN=client,O=oracle,C=ro" -request ./certificate_request.txt -pwd "welcome1"

Copy the certificate request from the "client" directory to the "server" directory:

scp certificate_request.txt oracle@192.168.1.101:/u01/app/oracle/server_wallet

Sign the certificate of the client and also export server's CA certificate:

$> cd /u01/app/oracle/server_wallet
$> orapki cert create -wallet . -request ./certificate_request.txt -cert ./signed_certificate.cert -validity 365 -pwd "welcome1"
$> orapki wallet export -wallet /u01/app/oracle/server_wallet -dn "CN=server" -cert server_ca.cert

Note: The server's auto login wallet is used as a certificate authority. By using this method you will avoid using a real CA to sign the certificates of the clients.

Copy the signed certificate(signed_certificate.cert) and the server's root certificate ( server_ca.cert) to the client's wallet directory and import them into client's wallet:

$> cd  /u01/app/oracle/server_wallet
$> cp signed_certificate.cert /u01/app/oracle/client_wallet/
$> cp server_ca.cert /u01/app/oracle/client_wallet/

$> orapki wallet add -wallet . -trusted_cert -cert ./server_ca.cert -pwd "welcome2"
$> orapki wallet add -wallet . -user_cert -cert ./signed_certificate.cert -pwd "welcome2"

3) Create the user within the database

SQL> create user client identified externally as 'CN=client,O=oracle,C=ro';
SQL> grant create session to client;

Note: The user within the database has to be created specifying the distiguished name (DN) on their certificate. The user certificate created earlier had the DN 'CN=client,O=oracle,C=ro' so we have to use the same string while creating the user in the database

Note: Steps 2) & 3) can be repeated for all the users that will be authenticated using SSL. In the example we configured the database user and the client wallet and the certificates for a generic user called "client" but the same steps apply to any user.

After performing all the above steps we have all the needed certificates for both the server and the client in the server_wallet and client_wallet directories on the database server machine. Furthermore we do have an user in the database that is associated with the DN of the certificate stored in the client's wallet. We executed all these steps on the same machine(on the DB Server) just to emphasize the idea that we can centralize the configuration of the SSL authentication.  For a large user population we can repeat steps 2) and 3) until we get the wallets with the right certificates for all the users and have all the users created in the database.

4) Configuring server side listener

Configure a TCPS listener address

Use Net Manager to create an new TCPS listener or add new TCPS address to an existing listener. You will also need to add the wallet location. For example,

LISTENER =
   (DESCRIPTION_LIST =
     (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = seclin4.ro.oracle.com)(PORT = 1521))
     )
     (DESCRIPTION =
       (ADDRESS = (PROTOCOL = TCPS)(HOST = seclin4.ro.oracle.com)(PORT = 1522))
     )
  )

WALLET_LOCATION =
  (SOURCE=
   (METHOD=File)
    (METHOD_DATA=
     (DIRECTORY=/u01/app/oracle/server_wallet)))

5) Configuring server side sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
    (METHOD_DATA =
     (DIRECTORY = /u01/app/oracle/server_wallet)
    )
   )

6) Configuring client side sqlnet.ora

In the client sqlnet.ora set TCPS as an authentication method and set the wallet location,

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
SSL_CLIENT_AUTHENTICATION = TRUE

WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
   (METHOD_DATA =
   (DIRECTORY = /u01/app/oracle/client_wallet)
   )
  )

7) Configuring client side tnsnames.ora

Use Net Manager or Net Configuration Assistant to create a service name using TCPS, e.g.

ORCLSSL =
  (DESCRIPTION =
    (ADDRESS_LIST =
     (ADDRESS = (PROTOCOL = TCPS)(HOST = seclin4.ro.oracle.com)(PORT = 1522))
    )
    (CONNECT_DATA =
     (SERVICE_NAME = ORCL)
    )
   )

8) Configuring the database

The database parameter OS_AUTHENT_PREFIX must be null and REMOTE_OS_AUTHENT must be FALSE:

SQL> alter system set remote_os_authent=FALSE scope=spfile;
SQL> alter system set os_authent_prefix='' scope=spfile;

The instance will need to be restarted for these changes to take effect.

9) Testing the configuration

The first test is to confirm the client is able to tnsping the alias for the TCPS listener.This will confirm that the client wallet is properly accessible by the client:

$> tnsping ORCLSSL

TNS Ping Utility for Linux: Version 10.2.0.2.0 - Production on 29-NOV-2006 10:16:32

Copyright (c) 1997, 2005, Oracle. All rights reserved.

Used parameter files:
/u01/10.2/network/admin/sqlnet.ora

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.171.112.16)(PORT = 1522))) (CONNECT_DATA = (SID = v10g)))
OK (100 msec)

The second test is to connect as the user that is associated with the certificate stored in the wallet:

$> sqlplus /@ORCLSSL

SQL*Plus: Release 10.2.0.2.0 - Production on Wed Nov 29 10:17:27 2006

Copyright (c) 1982, 2005, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>SQL> select user from dual;

USER
------------------------------
CLIENT

Move SYS.AUD$ table out of SYSTEM tablespace

How to move the database audit trail tables(  SYS.AUD$ & SYS.FGA_LOG$) to another tablespace using DBMS_AUDIT_MGMT?
-------------------------------------------------------

Note : This move operation can be performed even when the database is up and an audit trail is being written

1) Check the current tablespace of the audit trail tables:

CONN / AS SYSDBA

SQL> SELECT table_name, tablespace_name FROM dba_tables WHERE table_name IN ('AUD$', 'FGA_LOG$') ORDER BY table_name; 2

TABLE_NAME                     TABLESPACE_NAME
------------------------------ ------------------------------
AUD$                           SYSAUX
FGA_LOG$                       SYSAUX


2) Check the current size of two tables:

select segment_name,bytes/1024/1024 size_in_megabytes from dba_segments where segment_name in ('AUD$','FGA_LOG$');

SEGMENT_NAME         SIZE_IN_MEGABYTES
-------------------  -----------------------------
AUD$                 12
FGA_LOG$             .0625

3) Create a new tablespace and make sure that it's size is large enough for the tables that will be moved:

SQL> create tablespace audit_tbs datafile '/u01/app/oracle/oradata/d1v11202/audit_tbs1.dbf' size 100M autoextend on;

Tablespace created.

4) Move the audit trail tables using procedure DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION.

SQL> BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,--this moves table AUD$
audit_trail_location_value => 'AUDIT_TBS');
END;
/
PL/SQL procedure successfully completed.

SQL> BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,--this moves table FGA_LOG$
audit_trail_location_value => 'AUDIT_TBS');
END;
/
PL/SQL procedure successfully completed.

4)  Check  whether the tables were moved successfully:

SQL> SELECT table_name, tablespace_name FROM dba_tables WHERE table_name IN ('AUD$', 'FGA_LOG$') ORDER BY table_name;

TABLE_NAME              TABLESPACE_NAME
----------------------- ------------------------------
AUD$                     AUDIT_TBS
FGA_LOG$                 AUDIT_TBS

NOTE :
=======
The requirement for the introduction of this package came from Audit Vault. Currently it is not supported to use the DBMS_AUDIT_MGMT package on a pre 11gR2(11.2.0.1)
instance which is not an Audit Vault source database. Its features include the purge of audit records and can be used to move the audit tables AUD$ and FGA_LOG$ to another tablespace.

Audit Trails with dbms_audit_mgmt, which has been officially introduced/supported in Oracle 11g R2.

The DBMS_AUDIT_MGMT package is installed by default in Oracle 11.2, and in patchsets 10.2.0.5 and 11.1.0.7 but has also been made available as a separately installable patch for other versions.

----------------

Script to move SYS.AUD$ table out of SYSTEM tablespace
-------------------------------------------------------
- Restart the database with audit_trail=NONE before running the script ---

create tablespace "AUDIT"
   datafile '$HOME/data/aud01.dbf' size 500k
      default storage (initial 100k next 100k pctincrease 0) ;

create table audx tablespace "AUDIT"
   storage (initial 50k next 50k pctincrease 0)
      as select * from aud$ where 1 = 2 ;

rename AUD$ to AUD$$ ;

rename audx to aud$ ;

create index i_aud2
  on aud$(sessionid, ses$tid)
    tablespace "AUDIT" storage(initial 50k next 50k pctincrease 0);

Enable Standard Database Auditing

Enable Standard Auditing

SQL> show parameters audit_trail

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_trail                          string      NONE

SQL> alter system set audit_trail=db scope=spfile;

System altered.

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> Startup
ORACLE instance started.
Total System Global Area  440401920 bytes
Fixed Size                  1249440 bytes
Variable Size             109055840 bytes
Database Buffers          322961408 bytes
Redo Buffers                7135232 bytes
Database mounted.
Database opened.

SQL> show parameters audit_trail

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_trail                          string      DB


SQL> audit all on scott.emp by access;

Audit succeeded.

SQL> update emp set sal=sal*0.95 where job='MANAGER';

3 rows updated.


You will get the following record in the audit trail:

SQL> select username, owner, obj_name, action_name, sql_text from dba_audit_trail;

USERNAME   OWNER      OBJ_NAME             ACTION_NAME     SQL_TEXT
---------- ---------- -------------------- --------------- --------------------
SCOTT      SCOTT      EMP                  UPDATE


If however you change the audit trail to DB_EXTENDED and restart the database:

SQL> alter system set audit_trail='db_extended' scope=spfile;

System altered.

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> Startup
ORACLE instance started.
Total System Global Area  440401920 bytes
Fixed Size                  1249440 bytes
Variable Size             113250144 bytes
Database Buffers          318767104 bytes
Redo Buffers                7135232 bytes
Database mounted.
Database opened.
SQL> show parameters audit_trail

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_trail                          string      DB_EXTENDED


The same activity will produce a record with the text:

SQL> select username, owner, obj_name, action_name, sql_text from dba_audit_trail;

USERNAME   OWNER      OBJ_NAME             ACTION_NAME     SQL_TEXT
---------- ---------- -------------------- --------------- --------------------
SCOTT      SCOTT      EMP                  UPDATE
SCOTT      SCOTT      EMP                  UPDATE          update emp set sal=s
                                                           al*0.95 where job='M
                                                           ANAGER'
Note
====
You can also use the following syntax:

SQL> alter system set audit_trail='db','extended' scope=spfile;
System altered.
Or:
SQL> alter system set audit_trail=db,extended scope=spfile;
System altered.

But you can’t use ‘DB,EXTENDED’—which is a little confusing at first:

SQL> alter system set audit_trail='db,extended' scope=spfile;
alter system set audit_trail='db,extended' scope=spfile
*
ERROR at line 1:
ORA-00096: invalid value xml,extended for parameter audit_trail, must be from among extended, xml, db_extended, false, true, none, os, db

Oracle Case-Sensitive Passwords

In Oracle Database prior to release 11g, user passwords were case insensitive. For example:

SQL> conn scott/tiger
Connected.
SQL> conn scott/TIGER
Connected.

This arrangement presents a problem for standards such as the Payment Card Industry (PCI) Data Security Standard, which require passwords to be case sensitive.

Problem solved; in Oracle Database 11g passwords can be case sensitive as well. While creating the database via DBCA, you will be prompted whether you want to upgrade to the "new security standards," one of which is the case-sensitive password. If you accept, passwords will be recorded in the same case as they were created. Here is the resulting behavior, assuming you have accepted the new standard:

SQL> conn scott/tigger
Connected.
SQL> conn scott/TIGGER
ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

Note how "tigger" and "TIGGER" are treated differently.

Now, some of your apps may not be passing the password in proper case right now. A typical example is a user input form: Many forms accept passwords with no case conversion being performed. However, with Oracle Database 11g, that login may fail unless the user enters the password in case-sensitive format or the developer changes the app to convert to upper or lower case (which may not be possible quickly).

If you wish, however, it is still possible to revert to case insensitivity by altering a system parameter, SEC_CASE_SENSITIVE_LOGON, as shown in the example below.

SQL> conn / as sysdba
Connected.
SQL>  alter system set sec_case_sensitive_logon = false;

System altered.

SQL> conn scott/TIGER
Connected.     

When you upgrade an existing Oracle 10g database to 11g, you can migrate your passwords to the new standard. You can check the status of the password by querying the DBA_USERS view, especially the new column PASSWORD_VERSIONS.

select username, password, password_versions
from dba_users;

USERNAME                  PASSWORD                       PASSWORD
-------------------------             ------------------------------                --------
SYSTEM                                                   10G 11G
SYS                                                      10G 11G
MGMT_VIEW                                                10G 11G

The first thing you notice is that the password column is NULL, not populated with the hashed value as it is in Oracle Database 10g and prior versions. So what happened to the password? It's still stored in the database (in the table USER$) but it is not visible in the DBA_USERS view. When the user is created as either global or externally authenticated, the status is indicated—GLOBAL or EXTERNAL—but the hash value of the password is not displayed.

Next, note the column PASSWORD_VERSIONS, which is new in Oracle Database 11g. This column signifies the case sensitivity of the password. The value "10G 11G" signifies that the user was either created in 10g and migrated to 11g or created in 11g directly.

Oracle Default Passwords

Oracle Database 11g now offers a way to quickly identify users with default passwords, implemented in the rather ludicrously simple way of checking a single data dictionary view: DBA_USERS_WITH_DEFPWD. (Note that DBA_ is a standard prefix; it does not contain only DBA users with default passwords.) You can identify these users by issuing:

select *
from dba_users_with_defpwd

And here is the output:


USERNAME
------------------------------
DIP
MDSYS
WK_TEST
CTXSYS
OLAPSYS
OUTLN
EXFSYS
SCOTT
MDDATA
ORDPLUGINS
ORDSYS
XDB
LBACSYS
SI_INFORMTN_SCHEMA
WMSYS

You can see SCOTT listed above, because his password is TIGER, the default one. Change it with:

SQL> alter user scott identified by tiger1;

User altered.

Now if you check the view:

SQL> select * from dba_users_with_defpwd;

You won't see SCOTT on the list anymore. It's that simple!


- Script to check for Default Passwords being used for some common usernames. (8.1.7 - 11.1.0.7)

select username "User(s) with Default Password!", account_status "Status"
 from dba_users
 where password in
('E066D214D5421CCC',  -- dbsnmp
 '24ABAB8B06281B4C',  -- ctxsys
 '72979A94BAD2AF80',  -- mdsys
 '9AAEB2214DCC9A31',  -- mdsys
 'C252E8FA117AF049',  -- odm
 'A7A32CD03D3CE8D5',  -- odm_mtr
 '88A2B2C183431F00',  -- ordplugins
 '7EFA02EC7EA6B86F',  -- ordsys
 '9B616F5489F90AD7',  -- ordcommon
 '4A3BA55E08595C81',  -- outln
 'F894844C34402B67',  -- scott
 '3F9FBD883D787341',  -- wk_proxy
 '79DF7A1BD138CF11',  -- wk_sys
 '7C9BA362F8314299',  -- wmsys
 '88D8364765FCE6AF',  -- xdb
 'F9DA8977092B7B81',  -- tracesvr
 '9300C0977D7DC75E',  -- oas_public
 'A97282CE3D94E29E',  -- websys
 'AC9700FD3F1410EB',  -- lbacsys
 'E7B5D92911C831E1',  -- rman
 'AC98877DE1297365',  -- perfstat
 '66F4EF5650C20355',  -- exfsys
 '84B8CBCA4D477FA3',  -- si_informtn_schema
 'D4C5016086B2DC6A',  -- sys
 '5638228DAF52805F',  -- sys
 'D4DF7931AB130E37')  -- system
/