Editor Jan 24 2007 update: Expanded on logical standby restrictions.
Stories of lost backup tapes have become embarrassingly common. UPS lost Citigroup backup tapes containing personal information for 3.9 million customers. Bank of America backup tapes containing personal information for 1.2 million federal employees were stolen off a commercial plane. Marriot lost backup tapes with personal information for over 200,000 employees and customers. Iron Mountain lost Time Warner backup tapes containing personal information on 40,000 Time Warner employees. And the list just keeps getting longer...
If one assumes that any small physical object can be lost, then the odds of your losing a backup tape increase with every backup that you make. One suboptimal option for reducing your risk of loss is to to stop making backups. I wouldn't recommend that.
Encrypting E-Business Suite Data
A better option is to ensure that your backups are encrypted with the 10gR2 Database Transparent Data Encryption feature in the Oracle Advanced Security Option, reducing the risk of security breaches if backup tapes are physically lost or stolen.
Transparent Data Encryption (TDE) is now certified with the E-Business Suite, allowing you to encrypt selected columns in the E-Business Suite's database files. This encryption is transparent to the E-Business Suite during runtime and requires no E-Business Suite patches. Backups of E-Business Suite database files are encrypted, requiring an Oracle Wallet for decryption. Database files can be encrypted with the following cryptographic algorithms:
- Triple Data Encryption Standard (3DES)
- Advanced Encryption Standard (AES): 128, 192, and 256 bit
- E-Business Suite 11.5.9 with Consolidated Update 2 or higher
- 10gR2 Database 10.2.0.2
and DataGuard in logical standby mode. (Remember that LogMiner does not support a number of data types used in the E-Business Suite; physical standby is recommended for Apps environments.)
For complete details, including a list of recommended columns to encrypt, see:
- Using Transparent Data Encryption with the E-Business Suite (Metalink Note 403294.1)
- Interoperability Notes: Oracle Applications Release 11i with Oracle Database 10g Release 2 (Metalink Note 362203.1)
Comments (16)
Since Logical Standby is not supported w/ 11i is there a reason why it should even be mentioned in TDE note? Or Is Logical Standby supported for 11i now?
Thanks
Ganesh
Posted by Ganesh | January 24, 2007 8:55 AM
Posted on January 24, 2007 08:55
Ganesh,Good observation. Logical standby is not supported for E-Business Suite environments. We recommend physical standby. Restrictions around logical standby are noted in the formal documentation to warn readers from considering the use of that technology.I've updated the article with a small clarification on this point; thanks for highlighting it.Regards,Steven
Posted by Steven Chan | January 24, 2007 9:18 AM
Posted on January 24, 2007 09:18
Floyd, I'll look into this. I'll post an update here as soon as I have more details.Regards,Steven
Posted by Steven Chan | January 24, 2007 2:54 PM
Posted on January 24, 2007 14:54
Steven,
Does the certification include HRMS? Checking Metalink Bug 4349886 (the enhancement request for support of TDE with HRMS), I don't see any resolution...
--Floyd--
Posted by Floyd Teter | January 24, 2007 3:00 PM
Posted on January 24, 2007 15:00
Floyd,I've confirmed that HRMS customers do not have to wait for bug 4349886 any more. They can proceed with encrypting Personally Identifiable Information using procedures as described in the Transparent Data Encryption Note.Please be aware that the Note does identify some restrictions, and stresses the importance of performance testing prior to production deployments.Let us know how this works out for you.Regards,Steven
Posted by Steven Chan | January 24, 2007 4:06 PM
Posted on January 24, 2007 16:06
Outstanding. I'll let you know how it goes! Thank you for chasing down this info.
--Floyd--
Posted by Floyd Teter | January 25, 2007 10:33 AM
Posted on January 25, 2007 10:33
Dave,I don't know if there would be any issues with this approach, as we haven't had the opportunity to test this configuration. I haven't heard of any customers doing this, but that doesn't necessarily mean much.Our official recommendation for reporting requirements is to scale up your database tier via Real Application Clusters (but you probably already knew that).Regards,Steven
Posted by Steven Chan | February 12, 2007 1:22 PM
Posted on February 12, 2007 13:22
I understand that logical standby isn't support in EBS because there are quite a few objects that wouldn't be captured. So it couldn't act as a failover for production. However, we would like to use a logical standby database for reporting needs. If the objects that aren't maintained are not required for reporting, do you see any issues? Do you know of any customers who use the logical standby database feature for reporting in EBS?
Posted by Dave | February 12, 2007 1:27 PM
Posted on February 12, 2007 13:27
Steven/Floyd,
It looks as if ANS/ANO (Advanced Networking Security Option) is required for TDE? I'm pretty sure that ANO (or ANS as it's now called or viceversa.. :-) is not free.
Is there a separate license charge for TDE?
thx
Posted by John Stouffer | November 26, 2007 2:20 PM
Posted on November 26, 2007 14:20
John,I'm pretty sure that you're right about that, but the bundling and packaging of various optional database features varies too fast for us in Development to follow. If you're looking for a definitive answer, I'd recommend contacting the Oracle account manager for your current customer to verify the latest licencing status of these options.Regards,Steven
Posted by Steven Chan | November 26, 2007 4:02 PM
Posted on November 26, 2007 16:02
Steve/Ganesh,
Is TDE supported with R12?
cheers,
Ram.
Posted by Ram | March 26, 2008 2:25 PM
Posted on March 26, 2008 14:25
Ram,Not yet. We'll be working on this certification later this year. You're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available. Regards,Steven
Posted by Steven Chan | March 28, 2008 11:36 AM
Posted on March 28, 2008 11:36
Steve/Ganesh,
i have a big german customer insterested in TDE with R12.
What is the current certification status ?
Regards,
Elena
Posted by Elena | May 30, 2008 5:43 AM
Posted on May 30, 2008 05:43
Elena,We're working on this certification right now. I don't have firm schedules for this certification yet, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available. Regards,Steven
Posted by Steven Chan | May 30, 2008 10:31 AM
Posted on May 30, 2008 10:31
Steve,
Any update on TDE certification with R12?
Thanks,
Sri
Posted by Sri | February 9, 2009 8:20 AM
Posted on February 9, 2009 08:20
Hi, Sri,
The 10.2.0.4 Database TDE has been certified with EBS Release 12; see:
10gR2 10.2.0.4 Database Certified with Apps 12 - http://blogs.oracle.com/stevenChan/2008/08/10gr2_10204_database_certified_with_apps_12.html
Is that the combination you were interested in? We're still working on the 11gR1 TDE + EBS R12 configuration right now.
Regards,
Steven
Posted by Steven Chan | February 9, 2009 3:41 PM
Posted on February 9, 2009 15:41