oracle database vault integration in swpm
TRANSCRIPT
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPMOracle Database Vault 12c
Andreas BeckerPrincipal Member Technical StaffSAP Development, Oracle Server TechnologiesJune 19, 2017
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Agenda
Oracle Database Vault 12c
Oracle Database Vault Integration in SWPM
Further Considerations
1
2
3
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault and Cloud
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | DOAG SIG Oracle und SAP 19. Juni 2017
Oracle Database Vault
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
SAP NetWeaver, Oracle Cloud and Oracle Database VaultThis could be a separate presentation in the future.
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault 12c
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database 11g Release 2
• DV enabled in Oracle Home
• ~10 separate SAP Notes
• DV installation: manual only (*)
– SWPM: no support for DV
Oracle Database 12c Release 1
• DV enabled in Database (!!)
• One (!) SAP Note 2218115
• DV installation: manual or SWPM
– SWPM (SP21+): support for DV
DOAG SIG Oracle und SAP 19. Juni 2017
Oracle Database Vault – Status and Comparison
(*) DV installation/configuration as manual task.Required after SAP system install, SAP system copyor SAP system rename (post-config task)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPM
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPM
• SAP Software Provisioning Manager (SWPM) SP21 and higher
• Oracle Database 12c Release 1 and higher
• Oracle Database Vault Patch 9656644 must be installed
– PL/SQL scripts from this patch are used by SWPM to install and configure Database Vault. If the patch is not installed, the installation will fail.
Reference: SAP Note 2218115
Prerequisites
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPMIntegration Levels
DOAG SIG Oracle und SAP 19. Juni 2017
Step Basic (Level 1) Standard (Level 2) Full (Level 3)
Install OLS/DV Yes (*) Yes (*) Yes (*)
Create DV Admin Accounts Yes (*) Yes (*)
Configure OLS/DV Yes (*) Yes (*)
Create DV Policy for SAP Yes (**)
Enable DV Yes (**)
Reference: SAP Note 2218115
(*) Task for DV Security Administrator (DV_OWNER, DV_ADMIN) e.g. SECADMIN
(*) Task for DBA (e.g. SYS)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPMIntegration Level Standard (Level 2) - Install DV
DOAG SIG Oracle und SAP 19. Juni 2017
(*) Task for DBA (e.g. SYS)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPMIntegration Level Full (Level 3) – Install and Enable DV
DOAG SIG Oracle und SAP 19. Juni 2017
(*) Task for DV Security Administrator (DV_OWNER, DV_ADMIN) e.g. SECADMIN
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPMSWPM Dialogs for System Copy (Backup/Restore)
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPM
• Which level is recommended?
– Basic (level 1) is not supported (at the moment)
– Use Standard (level 2) or Full (level 3) according to your requirements• Level 2: install components and users, but do not enable DV
– requires manual enabling of Database Vault by SECADMIN afterwards
– Details see SAP Note 2218115
• Level 3: install components and users, install DV policy and enable DV
– DV is fully installed and enabled
Recommendation for Integration Level
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPM
• When should I install Database Vault in an SAP system?
– only when required (business requirement for DV) Principle of „minimum installation“ do not install software, components or users when not needed
– Note: you need a Database Vault license!!!
Recommendation
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPM
• Automatic installation and configuration of Database Vault for an SAP system in the following scenarios (SAP admin tasks):
– SAP system installation, SAP system copy, SAP system rename
• Manual installation according to SAP Note 2218115 is still possible.
Advantages
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Oracle Database Vault Integration in SWPM
Restrictions:
• No DV support in SWPM for SAP MCOD installations
• No DV support in SWPM for Oracle databases < 12.1
Current Limitations:
• No DV support for SAP systems with Oracle Multitenant (CDB/PDB)
Restrictions and Current Limitations in SWPM SP21
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
DV_PATCH_ADMIN Role
• DV_PATCH_ADMIN role
– enables SYS for the following tasks:• Perform patch post-install steps
• Manage database users (CREATE, ALTER, DROP)
– SWPM uses DV_PATCH_ADMIN role to work on the configuration of an SAP systemwhere DV is already enabled• SAP system rename
• SAP system copy
SWPM Implementation Details
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Further ConsiderationsSupport for Oracle Database Security in SWPM
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Further Considerations
SWPM Support for … Current status
Database Vault OK (SWPM SP 21)
-> Database Vault and Multitenant Planned (SWPM SP > 21)
-> Database Vault in existing SAP system (post-config) Not planned (depending on customer request)
Transparent Data Encryption (TDE) Planned (SWPM SP > 21)
Network Encryption Planned
Unified Auditing Planned
Plans for Future SWPM Integrations of Oracle Database Security Features
DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | DOAG SIG Oracle und SAP 19. Juni 2017
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
DOAG SIG Oracle und SAP 19. Juni 2017