Transparent Data Encryption Certified for Apps 11i

Editor Jan 24 2007 update:  Expanded on logical standby restrictions.

Stories of lost backup tapes have become embarrassingly common. UPS lost Citigroup backup tapes containing personal information for 3.9 million customers.  Bank of America backup tapes containing personal information for 1.2 million federal employees were stolen off a commercial plane.  Marriot lost backup tapes with personal information for over 200,000 employees and customers.  Iron Mountain lost Time Warner backup tapes containing personal information on 40,000 Time Warner employees.  And the list just keeps getting longer...

Transparent Data Encryption:

If one assumes that any small physical object can be lost, then the odds of your losing a backup tape increase with every backup that you make.  One suboptimal option for reducing your risk of loss is to to stop making backups.  I wouldn't recommend that.

Encrypting E-Business Suite Data

A better option is to ensure that your backups are encrypted with the 10gR2 Database Transparent Data Encryption feature in the Oracle Advanced Security Option, reducing the risk of security breaches if backup tapes are physically lost or stolen.  

Transparent Data Encryption (TDE) is now certified with the E-Business Suite, allowing you to encrypt selected columns in the E-Business Suite's database files.  This encryption is transparent to the E-Business Suite during runtime and requires no E-Business Suite patches.  Backups of E-Business Suite database files are encrypted, requiring an Oracle Wallet for decryption.  Database files can be encrypted with the following cryptographic algorithms:
  • Triple Data Encryption Standard (3DES)
  • Advanced Encryption Standard (AES):  128, 192, and 256 bit
  • E-Business Suite 11.5.9 with Consolidated Update 2 or higher
  • 10gR2 Database
There are some potential performance and patching implications, and restrictions around the use of LogMiner based technologies such as Streams
and DataGuard in logical standby mode.  (Remember that LogMiner does not support a number of data types used in the E-Business Suite; physical standby is recommended for Apps environments.)

For complete details, including a list of recommended columns to encrypt, see:


Since Logical Standby is not supported w/ 11i is there a reason why it should even be mentioned in TDE note? Or Is Logical Standby supported for 11i now?


Posted by Ganesh on January 24, 2007 at 12:55 AM PST #

Ganesh,Good observation.  Logical standby is not supported for E-Business Suite environments.  We recommend physical standby.  Restrictions around logical standby are noted in the formal documentation to warn readers from considering the use of that technology.I've updated the article with a small clarification on this point; thanks for highlighting it.Regards,Steven 

Posted by Steven Chan on January 24, 2007 at 01:18 AM PST #

Floyd, I'll look into this.  I'll post an update here as soon as I have more details.Regards,Steven 

Posted by Steven Chan on January 24, 2007 at 06:54 AM PST #


Does the certification include HRMS? Checking Metalink Bug 4349886 (the enhancement request for support of TDE with HRMS), I don't see any resolution...


Posted by Floyd Teter on January 24, 2007 at 07:00 AM PST #

Floyd,I've confirmed that HRMS customers do not have to wait for bug 4349886 any more.  They can proceed with encrypting Personally Identifiable Information using procedures as described in the Transparent Data Encryption Note.Please be aware that the Note does identify some restrictions, and stresses the importance of performance testing prior to production deployments.Let us know how this works out for you.Regards,Steven 

Posted by Steven Chan on January 24, 2007 at 08:06 AM PST #

Outstanding. I'll let you know how it goes! Thank you for chasing down this info.


Posted by Floyd Teter on January 25, 2007 at 02:33 AM PST #

Dave,I don't know if there would be any issues with this approach, as we haven't had the opportunity to test this configuration.  I haven't heard of any customers doing this, but that doesn't necessarily mean much.Our official recommendation for reporting requirements is to scale up your database tier via Real Application Clusters (but you probably already knew that).Regards,Steven 

Posted by Steven Chan on February 12, 2007 at 05:22 AM PST #

I understand that logical standby isn't support in EBS because there are quite a few objects that wouldn't be captured. So it couldn't act as a failover for production. However, we would like to use a logical standby database for reporting needs. If the objects that aren't maintained are not required for reporting, do you see any issues? Do you know of any customers who use the logical standby database feature for reporting in EBS?

Posted by Dave on February 12, 2007 at 05:27 AM PST #


It looks as if ANS/ANO (Advanced Networking Security Option) is required for TDE? I'm pretty sure that ANO (or ANS as it's now called or viceversa.. :-) is not free.

Is there a separate license charge for TDE?


Posted by John Stouffer on November 26, 2007 at 06:20 AM PST #

John,I'm pretty sure that you're right about that, but the bundling and packaging of various optional database features varies too fast for us in Development to follow.  If you're looking for a definitive answer, I'd recommend contacting the Oracle account manager for your current customer to verify the latest licencing status of these options.Regards,Steven 

Posted by Steven Chan on November 26, 2007 at 08:02 AM PST #


Is TDE supported with R12?


Posted by Ram on March 26, 2008 at 07:25 AM PDT #

Ram,Not yet.  We'll be working on this certification later this year.  You're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.  Regards,Steven 

Posted by Steven Chan on March 28, 2008 at 04:36 AM PDT #

i have a big german customer insterested in TDE with R12.
What is the current certification status ?


Posted by Elena on May 29, 2008 at 10:43 PM PDT #

Elena,We're working on this certification right now.  I don't have firm schedules for this certification yet, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.  Regards,Steven 

Posted by Steven Chan on May 30, 2008 at 03:31 AM PDT #


Any update on TDE certification with R12?


Posted by Sri on February 09, 2009 at 12:20 AM PST #

Hi, Sri,

The Database TDE has been certified with EBS Release 12; see:

10gR2 Database Certified with Apps 12 -

Is that the combination you were interested in? We're still working on the 11gR1 TDE + EBS R12 configuration right now.


Posted by Steven Chan on February 09, 2009 at 07:41 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed


« July 2016