Administering User Security in Oracle Database 12c R2

May 25, 2018 at 4:24 pm | Posted in Oracle, study tips, Technical Tips | Leave a comment
Tags: ,

Let’s talk about administering user security. If you’ve been studying for your Oracle Database 12c R2 Administration Certified Associate exam, you’ll know there are several security sub-components to be aware of. You have to understand how to create users, grant privileges, create and grant roles, revoke, and create and assign profiles. You also have to know how to authenticate users and assign quotas to specific users as well.

These topics, and specifically the topic of managing complex passwords, remind me of a scene in one of my favorite movies, Ironman 3. Tony Stark (aka Ironman) is self-implanting an electronic device in his arm to prepare for what he describes as the “big brother” to the current Ironman suit, called the Mark 42. He describes this event as the “Autonomous freehand self-propulsion test,” which allows him to just move his arms and call out the different components of his Ironman suit with biometrics.

Just like the old Ironman suit was replaced by the Mark 42, the 11g VERIFY_FUNCTION and VERIFY_FUNCTION_11G password verify functions are deprecated in the 12c release. Those weaker password restrictions have been replaced with stronger authentication verification in 12c. Oracle 12c R2 provides a SQL file named CATPVF.SQL  under the standard $ORACLE_HOME/rdbms/admin location. This SQL files holds three specific password verification functions. The purpose of these functions is to make sure that all the users within the database are modifying and creating passwords that are considered complex and meet critical requirements set by the Department of Defense Database Security Technical Implementation Guide, Department of Defense Database Security Technical Implementation Guide requirements and the Security Technical Implementation Guides (STIG) requirements.

The functions are:

ora12c_verify_function
  • No fewer than 8 characters
  • Must include one alphabetic character and one number
  • Excludes both the username and the reverse of the username
  • Excludes the name of database
  • Excludes oracle and oracle123
  • Must differ from the previous password by a minimum of 8 characters
  • Holds one special character
 ora12c_strong_verify_function
  • Must have two special characters, two numeric characters, and two upper-case characters
    • Special Character List (‘# ~ ! @ $ % ^ & * ( ) _ – + \ = { } [ ]\ / < > , . ; ? ‘ : | (space))
  • Must be different from the last password by four characters
ora12c_stig_verify_function
  • Must be 15 characters
  • Must include one upper-case and one lower-case character
  • Must have one digit
  • Requires one special character
  • Must differ from your last password by eight characters

Can you imagine using authentication that involves embedding a device under your skin? Maybe that’s just science fiction and maybe that’s going to be the norm at some point. Now, just maybe, Tony Stark’s “Autonomous freehand self propulsion test” is using a three-tier backend Oracle 12c R2 database architecture that is already using these advanced complexity functions. Only time will tell, but just know that security is a living, breathing entity that continues to advance into the future.

Regards,

John Brooks

 


Entries and comments feeds.