Oracle Cloud Guard and Hybrid Tablespace Encryption

“There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government” – Bruce Schneier

What is Hybrid Tablespace Encryption? With the latest release updates of Oracle 19c (19.16 and above as 19.18 is the latest as of February 2023), it is now possible to decrypt redo operations in a hybrid cloud DR configurations where the cloud database is encrypted with TDE (Transparent Data Encryption) and the on-prem database is not.

We start seeing more often Oracle on-prem databases using Data Guard with the standby database being in the cloud, mostly in OCI. When the on-prem database is not using TDE and the cloud one is, it is important to ensure that redo data is encrypted during the transportation process. The Advanced Security Option places a key role here as this new feature is controlled via the (dynamic) TABLESPACE_ENCRYPTION initialization parameter.

V$PARAMETER_VALID_VALUES shows the accepted values of all database init.ora parameters, here is what we have for tablespace encryption (viewable even in ADB):

In a multitenant environment, remember that you need to change the value of TABLESPACE_ENCRYPTION in the root container. You cannot set TABLESPACE_ENCRYPTION in a PDB.

Here is how to set-up the encryption depending on (1) have/not have the Advanced Security Option and (2) how you would like to encrypt:

• AUTO_ENABLE is the default for cloud databases. It encrypts all new tablespaces if you have the Oracle Advanced Security license.
  • If an existing tablespace is not encrypted, then the database writes a warning to the alert log.
  • Encrypted tablespaces cannot be converted to unencrypted tablespaces.
  • Because all tablespaces must be encrypted in OCI, setting TABLESPACE_ENCRYPTION to DECRYPT_ONLY or MANUAL_ENABLE will be ignored in the cloud and the database will behave as if the setting is AUTO_ENABLE.
  • In the primary database, this setting encrypts the new tablespace with an encryption key.
  • In a standby database, this setting adds a key to the new tablespace and encrypts all blocks.
• DECRYPT_ONLY prevents new tablespaces from being encrypted. Use it in your on-prem database in case you do not have the Advanced Security Option.
  • If an existing tablespace is encrypted, then the database writes a warning to the alert log.
  • Unencrypted tablespaces cannot be changed to encrypted tablespaces!
• MANUAL_ENABLE enables you to selectively encrypt tablespaces if the database is licensed for Oracle Advanced Security. This is the default for both on-prem primary and standby databases.

Note that (1) for RAC, set TABLESPACE_ENCRYPTION to the same value for all instances of the primary database, and for all instances of the standby database and (2) modifying TABLESPACE_ENCRYPTION does not affect the master key rotation operations.

On the second topic, Oracle Cloud Guard is useful when wanting to maintain good security posture by detecting weak security configurations and activities that can indicate cloud security risks. Cloud Guard detects security problems within a customer tenancy by ingesting audit and configuration data about resources in each region, processing it based on detector rules, and correlating the problems at the reporting region. Identified problems will be used to produce dashboards and metrics and may also trigger one or more provided responders to help resolve the problem.

Here are the key features of Oracle Cloud Guard:

• Detects misconfigured resources and identifies risky activities.
• Delivers out-of-the-box recipes that apply security best practices with a few clicks.
• Provides automated responders to trigger corrective actions.
• Gives a global view of customer’s overall security posture of their OCI tenancy, including security and risk scores and activity maps.

Enabling Cloud Guard is simple. The first step us to select/define the policies and then select some basis information:

And just click the “Enable” button.

Here is more information on Oracle Cloud Guard which includes now the new Threat Detector!

10 OCI tips for end users and administrators

The OCI console interface is changing rather often and new features are being added on monthly basis. Some features are very intuitive and for some one needs to go to the OCI documentation or MOS (links included below).

Although using the OCI console and dashboard on daily basis, there are still few actions being performed sporadically or just only once.

Here are 10 tips on how to manage certainly not so common operations within OCI:

Tip 1. If you need to change the Tenancy Administrator (Doc ID 2869402.1), you need to do the following 2 things (not possible to do it online via the GUI):

– Submit MOS SR using the Customer Support CSI with the following mandatory information:

Cloud Account (Tenancy) Name:
Current Tenancy Admin : <User name and email>
New/Desired Tenancy Admin : <User name and email>
Order Number and/or Subscription ID:

and

– Approval email from VP/CIO contact, the attachment format must be in email/message format (.msg, .EML, .pdf), not a screenshot.

Tip 2. If you need to increase your limits in OCI (Doc ID 2434814.1), the instructions in the MOS note are not very straightforward, here is how to do it:

• Hit the Help button (the question mark) and then choose “Visit the Support Center”:

• Then click on the blue “Create Support Request” button. From “Limit Increase”, select the category and then the resource:

For example, if you select FastConnect, you have the following options:

Tip 3. If you need to change the bandwidth for FastConnect (Doc ID 2922934.1), you need to complete the following steps:

• Log into the OCI console, select Networking and then FastConnect
• Click Edit to update the provisioned bandwidth value
• Select the provisioned bandwidth value
• Click Save Changes

Note that you have 2 options when selecting the provisioned bandwidth:

The Lifecycle state will be updates to Provisioned once saved.

Here are some additional OCI tips which I find interesting and important:

Tip 4. You might want to to find the private IP Addresses consumption of the OCI LoadBalancer (Doc ID 2850625.1)

Tip 5. How to change default DATA_PUMP_DIR to a new directory at PDB level for a OCI DB system (Doc ID 2630666.1)

Tip 6. How to use Data Pump to import from File Systems Storage in OCI DBCS (Doc ID 2511714.1)

Tip 7. How to provide access roles to users in new unified OCI console (Doc ID 2590671.1)

Tip 8. How to add a new SSH key to an existing DB system instance (Doc ID 2687638.1)

Tip 9. How to Import Custom Images to OCI (Doc ID 2330167.1)

Tip 10. How to change the idle timeout for a network Load Balancer (Doc ID 2921943.1)

Last note: It is not supported by Oracle to change the software edition of a database Cloud instance by say recompiling the binaries. You have to recreate the instance from backup of existing instance and choose appropriate software edition. If you need an edition change option with minimum downtime or need to migrate from single instance to RAC, you can use Zero Downtime Migration Utility.