Preface

Oracle Security Overview presents the basic concepts of data security in an Internet environment. It outlines fundamental data security requirements and explains the risks that threaten the integrity and privacy of your data. Several chapters introduce the rich array of technology that can contribute to system security. The book concludes with a survey of the Oracle features and products that implement these technologies.

Together, these products have the potential to control access to all the vulnerable areas of your system. They can help users and administrators to perform their tasks efficiently without jeopardizing the security plan you have put in place.

This preface contains these topics:

• Audience
• Documentation Accessibility
• Organization
• Related Documentation
• Conventions

Audience

Oracle Security Overview is intended for database administrators (DBAs), application programmers, security administrators, system operators, and other Oracle users who perform the following tasks:

• Analyze application security requirements
• Create security policies
• Implement security technologies
• Administer identity management and enterprise user security

To use this document, you need general familiarity with database and networking concepts.

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation

JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Organization

This document introduces the basic concepts of system security in an Internet environment. It outlines the data security risks that are prevalent today, and the industry-standard technologies available to address them. It then presents the carefully integrated suite of Oracle products you can use to implement these security technologies.

Part I, "Security Challenges"

This part explains the wide range of security risks to the integrity and privacy of data.

Chapter 1, "Data Security Challenges"

This chapter introduces the fundamental concepts of data security, and outlines the threats against which data and systems must be defended.

Part II, "Technical Solutions to Security Risks"

This part introduces the technology available to meet data security challenges.

Chapter 2, "Protecting Data Within the Database"

This chapter describes the fundamental elements of database security.

Chapter 3, "Protecting Data in a Network Environment"

This chapter explains how data can be protected while being transmitted over a network. It covers network access control, encryption, Secure Sockets Layer, and firewalls, as well as security in a three-tier environment.

Chapter 4, "Authenticating Users to the Database"

This chapter describes the wide range of technology available to verify the identity of database, application, and network users.

Chapter 5, "Using and Deploying a Secure Directory"

It can be advantageous to centralize storage and management of user-related information in a directory. This chapter describes how to protect such a directory, and how access can be controlled by using a directory.

Chapter 6, "Administering Enterprise User Security"

This chapter describes the elements that make up a strong enterprise user management facility.

Chapter 7, "Auditing to Monitor System Security"

This chapter describes technology available to monitor the effectiveness of your security policies.

Chapter 8, "The Public Key Infrastructure Approach to Security"

This chapter introduces the public key infrastructure (PKI) approach to security. It describes the components of PKI, and explains why this has become an industry standard.

Part III, "Oracle Security Products"

This part presents the suite of Oracle security products that can meet your data security requirements.

Chapter 9, "Oracle Security Products and Features"

This chapter presents the major security-related products available with Oracle9i, and specifies the way in which each of them implements the kinds of security technologies described in Part II of this book.

Related Documentation

For more information, see these Oracle resources:

• Oracle Database Concepts
• Oracle Database Application Developer's Guide - Fundamentals
• Oracle Database Administrator's Guide
• Oracle Advanced Security Administrator's Guide
• Oracle Internet Directory Administrator's Guide
• Oracle Label Security Administrator's Guide
• Oracle Net Services Administrator's Guide
• Single Sign-On Administrator's Guide
• Oracle Database Java Developer's Guide
• Oracle Database JDBC Developer's Guide and Reference
• Oracle Enterprise Manager Concepts

Many books in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself.

In North America, printed documentation is available for sale in the Oracle Store at

http://oraclestore.oracle.com/

Other customers can contact their Oracle representative to purchase printed documentation.

To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at

http://otn.oracle.com/admin/account/membership.html

If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at

http://otn.oracle.com/docs/index.htm

To access the database documentation search engine directly, please visit

http://tahiti.oracle.com

Conventions

This section describes the conventions used in the text and code examples of this documentation set. It describes:

• Conventions in Text
• Conventions in Code Examples

Conventions in Text

We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.

Convention	Meaning	Example
Bold	Bold typeface indicates terms that are defined in the text or terms that appear in a glossary, or both.	When you specify this clause, you create an index-organized table.
Italics	Italic typeface indicates book titles or emphasis.	Oracle Database Concepts Ensure that the recovery catalog and target database do not reside on the same disk.
UPPERCASE monospace (fixed-width font)	Uppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, datatypes, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, usernames, and roles.	You can specify this clause only for a NUMBER column. You can back up the database by using the BACKUP command. Query the TABLE_NAME column in the USER_TABLES data dictionary view. Use the DBMS_STATS.GENERATE_STATS procedure.
lowercase monospace (fixed-width font)	Lowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, usernames and roles, program units, and parameter values. Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.	Enter sqlplus to open SQL*Plus. The password is specified in the orapwd file. Back up the datafiles and control files in the /disk1/oracle/dbs directory. The department_id, department_name, and location_id columns are in the hr.departments table. Set the QUERY_REWRITE_ENABLED initialization parameter to true. Connect as oe user. The JRepUtil class implements these methods.
lowercase monospace (fixed-width font) italic	Lowercase monospace italic font represents placeholders or variables.	You can specify the parallel_clause. Run Uold_release.SQL where old_release refers to the release you installed prior to upgrading.

Conventions in Code Examples

Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:

SELECT username FROM dba_users WHERE username = 'MIGRATE';

The following table describes typographic conventions used in code examples and provides examples of their use.

Convention	Meaning	Example
[ ]	Brackets enclose one or more optional items. Do not enter the brackets.	DECIMAL (digits [ , precision ])
{ }	Braces enclose two or more items, one of which is required. Do not enter the braces.	{ENABLE | DISABLE}
|	A vertical bar represents a choice of two or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar.	{ENABLE | DISABLE} [COMPRESS | NOCOMPRESS]
...	Horizontal ellipsis points indicate either: That we have omitted parts of the code that are not directly related to the example That you can repeat a portion of the code	CREATE TABLE ... AS subquery; SELECT col1, col2, ... , coln FROM employees;
. . .	Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example.
Other notation	You must enter symbols other than brackets, braces, vertical bars, and ellipsis points as shown.	acctbal NUMBER(11,2); acct CONSTANT NUMBER(4) := 3;
Italics	Italicized text indicates placeholders or variables for which you must supply particular values.	CONNECT SYSTEM/system_password DB_NAME = database_name
UPPERCASE	Uppercase typeface indicates elements supplied by the system. We show these terms in uppercase in order to distinguish them from terms you define. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase.	SELECT last_name, employee_id FROM employees; SELECT * FROM USER_TABLES; DROP TABLE hr.employees;
lowercase	Lowercase typeface indicates programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or files. Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.	SELECT last_name, employee_id FROM employees; sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9;