PK =Aoa,mimetypeapplication/epub+zipPK=AiTunesMetadata.plistL artistName Oracle Corporation book-info cover-image-hash 670453468 cover-image-path OEBPS/dcommon/oracle-logo.jpg package-file-hash 510692553 publisher-unique-id E10575-08 unique-id 662451584 genre Oracle Documentation itemName Oracle® Database 2 Day + Security Guide, 11g Release 2 (11.2) releaseDate 2012-09-19T19:08:40Z year 2012 PK>JQLPK=AMETA-INF/container.xml PKYuPK=AOEBPS/tdpsg_user_accounts.htm Securing Oracle Database User Accounts

3 Securing Oracle Database User Accounts

This chapter contains:


See Also:

Oracle Database Security Guide for detailed information about securing user accounts

About Securing Oracle Database User Accounts

You can use many methods to secure database user accounts. For example, Oracle Database has a set of built-in protections for passwords. This chapter explains how you can safeguard default database accounts and passwords, and describes ways to manage database accounts.

Oracle Database 2 Day DBA describes the fundamentals of creating and administering user accounts, including how to manage user roles, what the administrative accounts are, and how to use profiles to establish a password policy.

After you create user accounts, you can use the procedures in this section to further secure these accounts by following these methods:


See Also:


Predefined User Accounts Provided by Oracle Database

When you install Oracle Database, the installation process creates a set of predefined accounts. These accounts are in the following categories:

Predefined Administrative Accounts

A default Oracle Database installation provides a set of predefined administrative accounts. These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either SYSTEM or SYSAUX.

To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted in Table 3-1. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts".

Table 3-1 lists the administrative user accounts provided by Oracle Database.

Table 3-1 Predefined Oracle Database Administrative User Accounts

User AccountDescriptionStatus After Installation

ANONYMOUS

Account that allows HTTP access to Oracle XML DB. It is used in place of the APEX_PUBLIC_USER account when the Embedded PL/SQL Gateway (EPG) is installed in the database.

EPG is a Web server that can be used with Oracle Database. It provides the necessary infrastructure to create dynamic applications.

Expired and locked

CTXSYS

The account used to administer Oracle Text. Oracle Text enables you to build text query applications and document classification applications. It provides indexing, word and theme searching, and viewing capabilities for text.

See Oracle Text Application Developer's Guide.

Expired and locked

DBSNMP

The account used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database.

See Oracle Enterprise Manager Grid Control Installation and Basic Configuration.

Open

Password is created at installation or database creation time.

EXFSYS

The account used internally to access the EXFSYS schema, which is associated with the Rules Manager and Expression Filter feature. This feature enables you to build complex PL/SQL rules and expressions. The EXFSYS schema contains the Rules Manager and Expression Filter DDL, DML, and associated metadata.

See Oracle Database Rules Manager and Expression Filter Developer's Guide.

Expired and locked

LBACSYS

The account used to administer Oracle Label Security (OLS). It is created only when you install the Label Security custom option.

See "Enforcing Row-Level Security with Oracle Label Security" and Oracle Label Security Administrator's Guide.

Expired and locked

MDSYS

The Oracle Spatial and Oracle Multimedia Locator administrator account.

See Oracle Spatial Developer's Guide.

Expired and locked

MGMT_VIEW

An account used by Oracle Enterprise Manager Database Control.

Open

Password is randomly generated at installation or database creation time. Users do not need to know this password.

OLAPSYS

The account that owns the OLAP Catalog (CWMLite). This account has been deprecated, but is retained for backward compatibility.

Expired and locked

ORDDATA

This account contains the Oracle Multimedia DICOM data model. See Oracle Multimedia DICOM Developer's Guide for more information.

Expired and locked

OWBSYS

The account for administrating the Oracle Warehouse Builder repository.

Access this account during the installation process to define the base language of the repository and to define Warehouse Builder workspaces and users. A data warehouse is a relational or multidimensional database that is designed for query and analysis.

See Oracle Warehouse Builder Installation and Administration Guide.

Expired and locked

ORDPLUGINS

The Oracle Multimedia user. Plug-ins supplied by Oracle and third-party, format plug-ins are installed in this schema.

Oracle Multimedia enables Oracle Database to store, manage, and retrieve images, audio, video, DICOM format medical images and other objects, or other heterogeneous media data integrated with other enterprise information.

See Oracle Multimedia User's Guide and Oracle Multimedia Reference.

Expired and locked

ORDSYS

The Oracle Multimedia administrator account.

See Oracle Multimedia User's Guide, Oracle Multimedia Reference, and Oracle Multimedia DICOM Developer's Guide.

Expired and locked

OUTLN

The account that supports plan stability. Plan stability prevents certain database environment changes from affecting the performance characteristics of applications by preserving execution plans in stored outlines. OUTLN acts as a role to centrally manage metadata associated with stored outlines.

See Oracle Database Performance Tuning Guide.

Expired and locked

SI_INFORMTN_SCHEMA

The account that stores the information views for the SQL/MM Still Image Standard.

See Oracle Multimedia User's Guide and Oracle Multimedia Reference.

Expired and locked

SYS

An account used to perform database administration tasks.

See Oracle Database 2 Day DBA.

Open

Password is created at installation or database creation time.

SYSMAN

The account used to perform Oracle Enterprise Manager database administration tasks. The SYS and SYSTEM accounts can also perform these tasks.

See Oracle Enterprise Manager Grid Control Installation and Basic Configuration.

Open

Password is created at installation or database creation time.

SYSTEM

A default generic database administrator account for Oracle databases.

For production systems, Oracle recommends creating individual database administrator accounts and not using the generic SYSTEM account for database administration operations.

See Oracle Database 2 Day DBA.

Open

Password is created at installation or database creation time.

WK_TEST

The instance administrator for the default instance, WK_INST. After you unlock this account and assign this user a password, then you must also update the cached schema password using the administration tool Edit Instance Page.

Ultra Search provides uniform search-and-location capabilities over multiple repositories, such as Oracle databases, other ODBC compliant databases, IMAP mail servers, HTML documents managed by a Web server, files on disk, and more.

See Oracle Ultra Search Administrator's Guide.

Expired and locked

WKSYS

An Ultra Search database super-user. WKSYS can grant super-user privileges to other users, such as WK_TEST. All Oracle Ultra Search database objects are installed in the WKSYS schema.

See Oracle Ultra Search Administrator's Guide.

Expired and locked

WKPROXY

An administrative account of Oracle9i Application Server Ultra Search.

See Oracle Ultra Search Administrator's Guide.

Expired and locked

WMSYS

The account used to store the metadata information for Oracle Workspace Manager.

See Oracle Database Workspace Manager Developer's Guide.

Expired and locked

XDB

The account used for storing Oracle XML DB data and metadata.

Oracle XML DB provides high-performance XML storage and retrieval for Oracle Database data.

See Oracle XML DB Developer's Guide.

Expired and locked



Note:

If you create an Oracle Automatic Storage Management (Oracle ASM) instance, then the ASMSNMP account is created. Oracle Enterprise Manager uses this account to monitor ASM instances to retrieve data from ASM-related data dictionary views. The ASMSNMP account status is set to OPEN upon creation, and it is granted the SYSDBA privilege. For more information, see Oracle Automatic Storage Management Administrator's Guide.

Predefined Non-Administrative User Accounts

Table 3-2 lists default non-administrative user accounts that are created when you install Oracle Database. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS.

To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation, except where noted in Table 3-2. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts".

Table 3-2 Predefined Oracle Database Non-Administrative User Accounts

User AccountDescriptionStatus After Installation

APEX_PUBLIC_USER

The Oracle Database Application Express account. Use this account to specify the Oracle schema used to connect to the database through the database access descriptor (DAD).

Oracle Application Express is a rapid, Web application development tool for Oracle Database.

See Oracle Application Express Application Builder User's Guide.

Expired and locked

DIP

The Oracle Directory Integration and Provisioning (DIP) account that is installed with Oracle Label Security. This profile is created automatically as part of the installation process for Oracle Internet Directory-enabled Oracle Label Security.

See Oracle Label Security Administrator's Guide.

Expired and locked

FLOWS_30000

The account that owns most of the database objects created during the installation of Oracle Database Application Express. These objects include tables, views, triggers, indexes, packages, and so on.

See Oracle Application Express Application Builder User's Guide.

Expired and locked

FLOWS_FILES

The account that owns the database objects created during the installation of Oracle Database Application Express related to modplsql document conveyance, for example, file uploads and downloads. These objects include tables, views, triggers, indexes, packages, and so on.

See Oracle Application Express Application Builder User's Guide.

Expired and locked

MDDATA

The schema used by Oracle Spatial for storing Geocoder and router data.

Oracle Spatial provides a SQL schema and functions that enable you to store, retrieve, update, and query collections of spatial features in an Oracle database.

See Oracle Spatial Developer's Guide.

Expired and locked

ORACLE_OCM

The account used with Oracle Configuration Manager. This feature enables you to associate the configuration information for the current Oracle Database instance with My Oracle Support. Then when you log a service request, it is associated with the database instance configuration information.

See Oracle Database Installation Guide for your platform.

Expired and locked

SPATIAL_CSW_ADMIN_USR

The Catalog Services for the Web (CSW) account. It is used by Oracle Spatial CSW Cache Manager to load all record-type metadata and record instances from the database into the main memory for the record types that are cached.

See Oracle Spatial Developer's Guide.

Expired and locked

SPATIAL_WFS_ADMIN_USR

The Web Feature Service (WFS) account. It is used by Oracle Spatial WFS Cache Manager to load all feature type metadata and feature instances from the dantabase into main memory for the feature types that are cached.

See Oracle Spatial Developer's Guide.

Expired and locked

XS$NULL

An internal account that represents the absence of a user in a session. Because XS$NULL is not a user, this account can only be accessed by the Oracle Database instance. XS$NULL has no privileges and no one can authenticate as XS$NULL, nor can authentication credentials ever be assigned to XS$NULL.

Expired and locked


Predefined Sample Schema User Accounts

If you install the sample schemas, which you must do to complete the examples in this guide, Oracle Database creates a set of sample user accounts. The sample schema user accounts are all non-administrative accounts, and their tablespace is USERS.

To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts". For more information about the sample schema accounts, see Oracle Database Sample Schemas.

Table 3-3 lists the sample schema user accounts, which represent different divisions of a fictional company that manufactures various products.

Table 3-3 Default Sample Schema User Accounts

User AccountDescriptionStatus After Installation

BI

The account that owns the BI (Business Intelligence) schema included in the Oracle Sample Schemas.

See also Oracle Warehouse Builder Sources and Targets Guide.

Expired and locked

HR

The account used to manage the HR (Human Resources) schema. This schema stores information about the employees and the facilities of the company.

Expired and locked

OE

The account used to manage the OE (Order Entry) schema. This schema stores product inventories and sales of the company's products through various channels.

Expired and locked

PM

The account used to manage the PM (Product Media) schema. This schema contains descriptions and detailed information about each product sold by the company.

Expired and locked

IX

The account used to manage the IX (Information Exchange) schema. This schema manages shipping through business-to-business (B2B) applications.

Expired and locked

SH

The account used to manage the SH (Sales) schema. This schema stores business statistics to facilitate business decisions.

Expired and locked


In addition to the sample schema accounts, Oracle Database provides another sample schema account, SCOTT. The SCOTT schema contains the tables EMP, DEPT, SALGRADE, and BONUS. The SCOTT account is used in examples throughout the Oracle Database documentation set. When you install Oracle Database, the SCOTT account is locked and expired.

Expiring and Locking Database Accounts

When you expire the password of a user, that password no longer exists. If you want to unexpire the password, you change the password of that account. Locking an account preserves the user password and other account information, but makes the account unavailable to anyone who tries to log in to the database using that account. Unlocking it makes the account available again.

Oracle Database 2 Day DBA explains how you can use Database Control to unlock database accounts. You also can use Database Control to expire or lock database accounts.

To expire and lock a database account: 

  1. Start Database Control.

    See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  2. Log in with administrative privileges.

    For example:

    Description of login.gif follows
    Description of the illustration login.gif

    The Database Home page appears.

  3. Click Server to display the Server subpage.

  4. In the Security section, click Users.

    The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.

  5. In the Select column, select the account you want to expire, and then click Edit.

    The Edit User page appears.

  6. Do one of the following:

    • To expire a password, click Expire Password now.

      To unexpire the password, enter a new password in the Enter Password and Confirm Password fields. See "Requirements for Creating Passwords" for password requirements.

    • To lock the account, select Locked.

  7. Click Apply.

Requirements for Creating Passwords

When you create a user account, Oracle Database assigns a default password policy for that user. The password policy defines rules for how the password should be created, such as a minimum number of characters, when it expires, and so on. You can strengthen passwords by using password policies.

For greater security, follow these guidelines when you create passwords:

Oracle Database Security Guide describes more ways that you can further secure passwords.


See Also:


Finding and Changing Default Passwords

When you install Oracle Database, the default database user accounts, including administrative accounts, are created without default passwords. Except for the administrative accounts whose passwords you create during installation (such as user SYS), the default user accounts arrive locked with their passwords expired. If you have upgraded from a previous release of Oracle Database, you may have database accounts that still have default passwords. These are default accounts that are created when you create a database, such as the HR, OE, and SCOTT accounts.

Security is most easily compromised when a default database user account still has a default password after installation. This is particularly true for the user account SCOTT, which is a well known account that may be vulnerable to intruders. Find accounts that use default passwords and then change their passwords.

To find and change default passwords: 

  1. Log into SQL*Plus with administrative privileges.

    sqlplus system
Enter password: password

  2. Select from the DBA_USERS_WITH_DEFPWD data dictionary view.

    SELECT * FROM DBA_USERS_WITH_DEFPWD;

    The DBA_USERS_WITH_DEFPWD lists the accounts that still have user default passwords. For example:

    USERNAME
------------
SCOTT

  3. Change the password for the accounts the DBA_USERS_WITH_DEFPWD data dictionary view lists.

    For example, to change the password for user SCOTT, enter the following:

    PASSWORD SCOTT
Changing password for SCOTT
New password: password
Retype new password: password
Password changed

    Replace password with a password that is secure, according to the guidelines listed in "Requirements for Creating Passwords". For greater security, do not reuse the same password that was used in previous releases of Oracle Database.

    Alternatively, you can use the ALTER USER SQL statement to change the password:

    ALTER USER SCOTT IDENTIFIED BY password;

You can use Database Control to change a user account passwords (not just the default user account passwords) if you have administrative privileges. Individual users can also use Database Control to change their own passwords.

To use Database Control to change the password of a database account:  

  1. Start Database Control.

    See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  2. Enter an administrator user name and password (for example, SYSTEM), and then click Login.

  3. Click Server to display the Server subpage.

  4. In the Security section, click Users.

    The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.

  5. In the Select column, select the account you want to change, and then click Edit.

    The Edit User page appears.

  6. Enter a new password in the Enter Password and Confirm Password fields.

  7. Click Apply.


See Also:


Guideline for Handling the Default Administrative User Passwords

You can use the same or different passwords for the SYS, SYSTEM, SYSMAN, and DBSNMP administrative accounts. Oracle recommends that you use different passwords for each. In any Oracle Database environment (production or test), assign strong, secure, and distinct passwords to these administrative accounts. If you use Database Configuration Assistant to create a new database, then it requires you to create passwords for the SYS and SYSTEM accounts.

Do not use default passwords for any administrative accounts, including SYSMAN and DBSNMP. Oracle Database 11g Release 2 (11.2) and later does not install these accounts with default passwords, but if you have upgraded from an earlier release of Oracle Database, you may still have accounts that use default passwords. You should find and change these accounts by using the procedures in "Finding and Changing Default Passwords".

At the end of database creation, Database Configuration Assistant displays a page that requires you to enter and confirm new passwords for the SYS and SYSTEM user accounts.

After installation, you can use Database Control to change the administrative user passwords. See "Finding and Changing Default Passwords" for more information on changing a password.

Guideline for Enforcing Password Management

Apply basic password management rules (such as password length, history, complexity, and so forth) to all user passwords. Oracle Database has password policies enabled for the default profile. "Requirements for Creating Passwords" provides guidelines for creating password policies. Table 3-4 lists initialization parameters that you can set to enforce password management.

You can find information about user accounts by querying the DBA_USERS view. The DBA_USERS view provides useful information such as the user account status, whether the account is locked, and password versions. You can query DBA_USERS as follows:

sqlplus system
Enter password: password

SQL> SELECT * FROM DBA_USERS;

Oracle also recommends, if possible, using Oracle Advanced Security (an option to Oracle Database Enterprise Edition) with network authentication services (such as Kerberos), token cards, smart cards, or X.509 certificates. These services provide strong authentication of users, and provide better protection against unauthorized access to Oracle Database.


See Also:


Parameters Used to Secure User Accounts

Table 3-4 lists initialization and profile parameters that you can set to better secure user accounts.

Table 3-4 Initialization and Profile Parameters Used for User Account Security

ParameterDefault SettingDescription

SEC_CASE_SENSITIVE_LOGON

TRUE

Controls case sensitivity in passwords. TRUE enables case sensitivity; FALSE disables it.

SEC_MAX_FAILED_LOGIN_ATTEMPTS

No default setting

Sets the maximum number of times a user is allowed to fail when connecting to an Oracle Call Interface (OCI) application.

FAILED_LOGIN_ATTEMPTS

10

Sets the maximum times a user login is allowed to fail before locking the account.

Note: You also can set limits on the number of times an unauthorized user (possibly an intruder) attempts to log in to Oracle Call Interface applications by using the SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter.

PASSWORD_GRACE_TIME

7

Sets the number of days that a user has to change his or her password before it expires.

PASSWORD_LIFE_TIME

180

Sets the number of days the user can use his or her current password.

PASSWORD_LOCK_TIME

1

Sets the number of days an account will be locked after the specified number of consecutive failed login attempts.

PASSWORD_REUSE_MAX

UNLIMITED

Specifies the number of password changes required before the current password can be reused.

PASSWORD_REUSE_TIME

UNLIMITED

Specifies the number of days before which a password cannot be reused.



Note:

You can use most of these parameters to create a user profile. See Oracle Database Security Guide for more information about user profile settings.

To modify an initialization parameter, see "Modifying the Value of an Initialization Parameter". For detailed information about initialization parameters, see Oracle Database Reference andOracle Database Administrator's Guide.

PKr%PK=AOEBPS/tdpsg_auditing.htm Auditing Database Activity

7 Auditing Database Activity

This chapter contains:


See Also:


About Auditing

Auditing is the monitoring and recording of selected user database actions. In standard auditing, you use initialization parameters and the AUDIT and NOAUDIT SQL statements to audit SQL statements, privileges, and schema objects, and network and multitier activities.

There are also activities that Oracle Database always audits, regardless of whether auditing is enabled. These activities are administrative privilege connections, database startups, and database shutdowns. See Oracle Database Security Guide for more information.

Another type of auditing is fine-grained auditing. Fine-grained auditing enables you to audit at the most granular level, data access, and actions based on content, using Boolean measurement, such as value > 1000. You can use fine-grained auditing to audit activities based on access to or changes in a column. You can create security policies to trigger auditing when someone accesses or alters specified elements in an Oracle database, including the contents within a specified object. You can create policies that define specific conditions that must take place for the audit to occur. For example, you can audit a particular table column to find out when and who tried to access it during a specified period of time. Furthermore, you can create alerts that are triggered when the policy is violated, and write this data to a separate audit file. Oracle Database Security Guide explains how to perform fine-grained auditing.

Why Is Auditing Used?

You typically use auditing to perform the following activities:

Where Are Standard Audit Activities Recorded?

Oracle Database records audit activities in audit records. Audit records provide information about the operation that was audited, the user performing the operation, and the date and time of the operation. Audit records can be stored in either a data dictionary table, called the database audit trail, or in operating system files, called an operating system audit trail. Oracle Database also provides a set of data dictionary views that you can use to track suspicious activities. See Oracle Database Security Guide for more information about these views.

When you use standard auditing, Oracle Database writes the audit records to either to DBA_AUDIT_TRAIL (the SYS.AUD$ table), the operating system audit trail, or to the DBA_COMMON_AUDIT_TRAIL view, which combines standard and fine-grained audit log records.

In addition, the actions performed by administrators are recorded in the syslog audit trail when the AUDIT_SYSLOG_LEVEL initialization parameter is set.

Auditing General Activities Using Standard Auditing

This section explains how to use standard auditing to audit activities performed on SQL statements, privileges, schema objects, and network or multitier activities.

This section contains:


See Also:

Oracle Database Security Guide for detailed information about managing the standard audit trail

About Standard Auditing

In standard auditing, you enable auditing of SQL statements, privileges, schema objects, and network or multitier activities. You can audit a specific schema table if you want. To perform this type of audit, you use Database Control.

You can view the standard audit trail by querying the DBA_AUDIT_TRAIL and DBA_COMMON_AUDIT_TRAIL data dictionary views.


See Also:

Oracle Database Security Guide for a roadmap of how and why you can use the different types of audit options available

Enabling or Disabling the Standard Audit Trail

Before you perform the standard auditing procedures described in this section, you must enable standard auditing. When you enable standard auditing, you can create the audit trail in the database audit trail or write the audit activities to an operating system file. If you write to an operating system file, you can create the audit record in text or XML format.

To enable or disable the standard audit trail:  

  1. Start Database Control.

  2. Log in as SYS and connect with the SYSDBA privilege.

    • User Name: SYS

    • Password: Enter your password.

    • Connect As: SYSDBA

  3. Click Server to display the Server subpage.

  4. In the Database Configuration section, click Initialization Parameters.

    The Initialization Parameters page appears.

  5. Click SPFile to display the SPFile subpage.

    If the SPFile tab does not display in your installation, then you did not install Oracle Database using a server parameters file. Go to the next step.

  6. In the Name field, enter audit_trail to find the AUDIT_TRAIL initialization parameter, and then click Go.

    You can enter the first few characters of the parameter, for example, AUDIT_. Alternatively, you can scroll down the list of parameters to find the AUDIT_TRAIL parameter.

  7. In the Value field, select one of the following values:

    • DB: Enables database auditing and directs standard audit records to the database audit trail (SYS.AUD$), except for records that are always written to the operating system audit trail. (This value is the default if you created the database using Database Configuration Assistant. Otherwise, the default is NONE.)

    • OS: Enables database auditing and directs all audit records to an operating system file. Writing the audit trail to operating system files is better for performance instead of sending the audit records to the SYS.AUD$ table. If the auditor is distinct from the database administrator, you must use the operating system setting. Any auditing information stored in the database is viewable and modifiable by the database administrator.

      To specify the location of the operating system audit record file, set the AUDIT_FILE_DEST initialization parameter. The first default directory is $ORACLE_BASE/admin/$ORACLE_SID/adump.

    • NONE: Disables standard auditing.

    • DB, EXTENDED: Performs all actions of the AUDIT_TRAIL=DB setting and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available. (These two columns are populated only when this parameter is specified.)

    • XML: Writes to the operating system audit record file in XML format. Prints all elements of the AuditRecord node (as specified by the by the XML schema in http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd XSD file) except Sql_Text and Sql_Bind to the operating system XML audit file. This .xsd file represents the schema definition of the XML audit file. An XML schema is a document written in the XML Schema language.

    • EXTENDED: Specifies XML, EXTENDED, which performs all actions of XML and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, wherever possible. (These columns are populated only when this parameter is specified.)

    For a detailed explanation of the AUDIT_TRAIL initialization parameter settings, see Oracle Database Security Guide.

  8. Click Apply.

  9. Restart the Oracle Database instance:

    1. Click the Database Instance link.

    2. Click Home to display the Database Control home page.

    3. Under General, click Shutdown.

    4. In the Startup/Shutdown Credentials page, enter your credentials.

      See Oracle Database 2 Day DBA for more information.

    5. After the shutdown completes, click Startup.

Note the following:

  • You do not need to restart the database if you change the auditing of objects. You only need to restart the database if you made a universal change, such as turning on or off all auditing or changing the destination of the audit trail operating system files.

  • You do not need to set AUDIT_TRAIL to enable either fine-grained auditing or SYS auditing. (SYS auditing enables you to monitor the activities of a system administrator. See Oracle Database Security Guide for more information.) For fine-grained auditing, you add and remove fine-grained auditing policies as necessary, applying them to the specific operations or objects you want to monitor. You can use the AUDIT_SYS_OPERATIONS parameter to enable and disable SYS auditing.

Using Default Auditing for Security-Relevant SQL Statements and Privileges

When you use Database Configuration Assistant (DBCA) to create a new database, Oracle Database configures the database to audit the most commonly used security-relevant SQL statements and privileges. It also sets the AUDIT_TRAIL initialization parameter to DB. If you decide to use a different audit trail type (for example, OS if you want to write the audit trail records to operating system files), then you can do that: Oracle Database continues to audit the privileges that are audited by default. If you disable auditing by setting the AUDIT_TRAIL parameter to NONE, then no auditing takes place.

Oracle Database audits the following privileges by default:

ALTER ANY PROCEDURECREATE ANY LIBRARYDROP ANY TABLE
ALTER ANY TABLECREATE ANY PROCEDUREDROP PROFILE
ALTER DATABASECREATE ANY TABLEDROP USER
ALTER PROFILECREATE EXTERNAL JOBEXEMPT ACCESS POLICY
ALTER SYSTEMCREATE PUBLIC DATABASE LINKGRANT ANY OBJECT PRIVILEGE
ALTER USERCREATE SESSIONGRANT ANY PRIVILEGE
AUDIT SYSTEMCREATE USERGRANT ANY ROLE
CREATE ANY JOBDROP ANY PROCEDURE

Oracle Database audits the following SQL statement shortcuts by default:

ROLESYSTEM AUDITPUBLIC SYNONYM
DATABASE LINKPROFILESYSTEM GRANT

To individually control the auditing of SQL statements and privileges, use the AUDIT and NOAUDIT statements.

Oracle strongly recommends that you audit the database. Auditing is an effective method of enforcing strong internal controls so that your site can meet its regulatory compliance requirements, as defined in the Sarbanes-Oxley Act. This enables you to monitor business operations and catch any activities that may deviate from company policy. Doing so translates into tightly controlled access to your database and the application software. By enabling auditing by default, you can generate an audit record for audit and compliance personnel.


Note:

If your applications use the default audit settings from Oracle Database 10g Release 2 (10.2), then you can revert to these audit settings until you modify the applications to use the Release 11g audit settings. To do so, run the undoaud.sql script.

After you have modified your applications to conform to the Release 11g audit settings, then you can manually update your database to use the audit configuration that suits your business needs, or you can run the secconf.sql script to apply the Release 11g default audit settings.

The undoaud.sql and secconf.sql scripts are in the $ORACLE_HOME/rdbms/admin directory. The undoaud.sql script affects audit settings only, and the secconf.sql script affects both audit and password settings. They have no effect on other security settings.



See Also:

  • Oracle Database SQL Language Reference for detailed information about the SQL statements described in this section

  • Oracle Database Reference for detailed information about the AUDIT_TRAIL initialization parameter


Individually Auditing SQL Statements

The SQL statements that you can audit are in the following categories:

  • DDL statements. For example, enabling the auditing of tables (AUDIT TABLE) audits all CREATE and DROP TABLE statements

  • DML statements. For example, enabling the auditing of SELECT TABLE audits all SELECT ... FROM TABLE/VIEW statements, regardless of the table or view

Statement auditing can be broad or focused, for example, by auditing the activities of all database users or of only a select list of users.


See Also:

Oracle Database Security Guide for detailed information about auditing SQL statements

Individually Auditing Privileges

Privilege auditing is a way to audit statements that can use a system privilege. For example, you can audit the SELECT ANY TABLE privilege if you want to audit all the SELECT statements that will use the SELECT ANY TABLE privilege. You can audit the use of any system privilege. Similar to statement auditing, privilege auditing can audit the activities of all database users or of only a specified list. As with SQL statement auditing, you use the AUDIT and NOAUDIT statements to enable and disable privilege auditing. In addition, you must have the AUDIT SYSTEM system privilege before you can enable auditing.

Privilege audit options match the corresponding system privileges. For example, the option to audit use of the DELETE ANY TABLE privilege is DELETE ANY TABLE. For example:

AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;

To audit all successful and unsuccessful uses of the DELETE ANY TABLE system privilege, enter the following statement:

AUDIT DELETE ANY TABLE BY ACCESS;

To audit all unsuccessful SELECT, INSERT, and DELETE statements on all tables and unsuccessful uses of the EXECUTE PROCEDURE system privilege, by all database users, and by individual audited statement, issue the following statement:

AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE BY ACCESS WHENEVER NOT SUCCESSFUL;

See Also:

Oracle Database Security Guide for detailed information about auditing privileges

Using Proxies to Audit SQL Statements and Privileges in a Multitier Environment

You can audit the activities of a client in a multitier environment by specifying a proxy in the Add Audited Statements or Add Audited Privileges page in Database Control. You can use the SQL AUDIT statement to audit the activities of a client in a multitier environment. To do so, use the BY user clause in the AUDIT statement.

For example, to audit SELECT TABLE statements issued by the proxy application user jackson:

AUDIT SELECT TABLE BY jackson;

Afterward, user jackson can connect using the appserve proxy user as follows:

CONNECT appserve[jackson]
Enter password: password

The middle tier can also set the user client identity in a database session, enabling the auditing of user actions through the middle-tier application. The user client identity then shows up in the audit trail.


See Also:

Oracle Database Security Guide for detailed information about auditing in a multitier environment

Individually Auditing Schema Objects

Schema object auditing can audit all SELECT and DML statements permitted by object privileges, such as SELECT or DELETE statements on a particular table. The GRANT and REVOKE statements that control those privileges are also audited.


See Also:

Oracle Database Security Guide for detailed information about auditing schema objects

Auditing Network Activity

You can use the AUDIT statement to audit unexpected errors in network protocol or internal errors in the network layer. The types of errors unc>hovered by network auditing are not connection failures, but can have several other possible causes. One possible cause is an internal event set by a database engineer for testing purposes. Other causes include conflicting configuration settings for encryption, such as the network not finding the information required to create or process expected encryption.

To enable network auditing:  

  1. Start SQL*Plus and log on with administrative privileges, such as SYSTEM, or as a security administrator. For example:

    sqlplus system
Enter password: password

    SQL*Plus starts, connects to the default database, and then displays a prompt.

    For detailed information about starting SQL*Plus, see Oracle Database 2 Day DBA.

  2. Enter the following statement:

    AUDIT NETWORK;

    To disable network auditing, enter the following:

    NOAUDIT NETWORK;

  3. Exit SQL*Plus:

    EXIT

See Also:

Oracle Database Security Guide for detailed information about auditing network activity

Tutorial: Creating a Standard Audit Trail

Suppose you wanted to audit SELECT statements on the OE.CUSTOMERS table. In this tutorial, you enable standard auditing, enable auditing for the SELECT SQL statement, run the SELECT SQL statement on the OE.CUSTOMERS table, and then check its audit file.

In this tutorial:

Step 1: Log In and Enable Standard Auditing

First, log in, and, if necessary, enable standard auditing.

To enable standard auditing:  

  1. Start Database Control.

  2. Log in as SYS.

    • User Name: SYS

    • Password: Enter your password.

    • Connect As: SYSDBA

  3. Click Server to display the Server subpage.

  4. In the Database Configuration section, click Initialization Parameters.

    The Initialization Parameters page appears.

  5. Click SPFile to display the SPFile subpage.

    If the SPFile tab does not display in your installation, then you did not install Oracle Database using a server parameters file. Go to the next step.

  6. In the Name field, enter AUDIT_TRAIL to find the AUDIT_TRAIL parameter, and then click Go.

    You can enter the first few characters of the parameter, for example, AUDIT. Alternatively, you can scroll down the list of parameters to find the AUDIT_TRAIL parameter. To sort the list of parameters in alphabetical order, click the Name column.

  7. In the Value field, make a note of the current setting, and then change it to DB_EXTENDED.

    By default, the AUDIT_TRAIL parameter is set to DB, which enables database auditing and directs all audit records to the database audit trail (SYS.AUD$), except for records that are always written to the operating system audit trail. DB_EXTENDED has this functionality, plus it records SQL text and SQL bind variables.

  8. Click Apply.

  9. Restart the Oracle Database instance.

    From a command line, enter the following commands:

    sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> RESTART

    At this point, you can check the AUDIT_TRAIL setting by entering the following command:

    SQL> SHOW PARAMETER AUDIT_TRAIL

NAME                     TYPE            VALUE
------------------------ --------------- ---------------------------------\
audit_trail              string          DB_EXTENDED

Step 2: Enable Auditing for SELECT Statements on the OE.CUSTOMERS Table

Next, enable auditing for SELECT statements on the OE.CUSTOMERS table.

To enable auditing of SELECT statements for the OE.CUSTOMERS table:  

  1. Ensure that the sample user sec_admin exists.

    Log on as SYSTEM, and then from the Database Control home page, click Server to display the Server subpage. Select Users under Security, and check the list of accounts for sec_admin. "Step 1: Create a Security Administrator Account" explains how to create the sec_admin security administrator account. If you still have Oracle Database Vault enabled, then you must recreate the account using the Database Vault Account Manager account.

  2. In SQL*Plus, log in as user OE and then grant sec_admin the SELECT privilege on the OE.CUSTOMERS table.

    sqlplus oe
Enter password: password
Connected.

SQL> GRANT SELECT ON CUSTOMERS TO sec_admin;

  3. Log in to Database Control as user SYS with the SYSDBA privilege.

  4. Click Server to display the Server subpage.

  5. In the Security section, click Audit Settings.

    The Audit Settings page appears.

  6. Select the Audited Objects subpage.

  7. Click Add.

    The Add Audited Object page appears.

  8. Enter the following information:

    • Object Type: Select Table.

    • Table: Enter OE.CUSTOMERS.

    • Available Statements: Select SELECT, and then click Move to move it to the Selected Statements list.

  9. Click OK.

  10. Log out of Database Control.

Step 3: Test the Audit Settings

At this stage, auditing is enabled and any SELECT statements performed on the OE.CUSTOMERS table are written to the to DBA_AUDIT_TRAIL data dictionary view. Now, you are ready to test the audit settings.

To test the audit settings:  

  1. Start SQL*Plus, and connect as user sec_admin.

    sqlplus sec_admin
Enter password: password

  2. Enter the following SELECT statement to create an alert in the audit trail:

    SELECT COUNT(*) FROM OE.CUSTOMERS;

  3. Enter the following statement to view the DBA_AUDIT_TRAIL view:

    SELECT USERNAME, SQL_TEXT, TIMESTAMP 
FROM DBA_AUDIT_TRAIL 
WHERE SQL_TEXT LIKE 'SELECT %';

    For this SELECT statement, enter the text for the SQL_TEXT column ('SELECT %') using the same case that you used when you entered the SELECT statement in Step 2. In other words, if you entered that SELECT statement in lowercase letters, then enter 'select %' when you query the DBA_AUDIT_TRAIL view, not 'SELECT %'.

    Output similar to the following appears:

    USERNAME          SQL_TEXT                                TIMESTAMP
----------------- --------------------------------------- ------------------
SEC_ADMIN         SELECT COUNT(*) FROM OE.CUSTOMERS       31-MAR-10

  4. Exit SQL*Plus:

    EXIT

Step 4: Optionally, Remove the Components for This Tutorial

Optionally, remove the audit settings that you created earlier.

To remove the audit settings in Database Control:  

  1. Log in to Database Control as user SYS with the SYSDBA privilege.

  2. Click Server to display the Server subpage.

  3. In the Security section, click Audit Settings.

    The Audit Settings page appears.

  4. Select the Audited Objects subpage.

  5. Under Schema, enter OE.

  6. Under Object Name, enter CUSTOMERS.

  7. Click Search.

  8. Select the box next to the OE.CUSTOMERS audited schema, and then click Remove.

    A Confirmation dialog box appears.

  9. Select Yes.

  10. Click the Database Instance link to return to the Database home page.

  11. Select the Server subpage, and then under Database Configuration, select Initialization Parameters.

  12. Select the SPFile subpage.

  13. Find the AUDIT_TRAIL parameter and then set it to the original value. Click Apply.

  14. Exit Database Control.

  15. Restart the database:

    sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> RESTART

Step 5: Remove the SEC_ADMIN Security Administrator Account

This is the last example in this guide. If you no longer need the sec_admin administrator account, then you should remove it.

To remove the sec_admin security administrator account:  

  1. Log in to Database Control as user SYSTEM.

    If Oracle Database Vault is enabled, then you must log on as the Database Vault Account Manager.

  2. In the Database Control home page, click Server to display the Server subpage.

  3. In the Security section, click Users.

    The Users page appears.

  4. In the Name field, enter sec_admin.

  5. Click Search.

  6. Select the selection box next to the sec_admin user account, and then click Delete.

    A Confirmation dialog box appears.

  7. Select Yes.

  8. Exit Database Control.

Guidelines for Auditing

This section contains the following topics:

Guideline for Using Default Auditing of SQL Statements and Privileges

When you create a new database, you can enable the auditing of a select set of SQL statements and privileges. Oracle recommends that you enable default auditing. Auditing is an effective method of enforcing strong internal controls so that your site meets its regulatory compliance requirements. See "Using Default Auditing for Security-Relevant SQL Statements and Privileges" for more information about default auditing.

Guidelines for Managing Audited Information

Although auditing has a minimal impact on database performance, limit the number of audited events as much as possible. This minimizes the performance impact on the execution of audited statements and the size of the audit trail, making it easier to analyze and understand.

Follow these guidelines when devising an auditing strategy:

  1. Evaluate your reason for auditing.

    After you understand of the reasons for auditing, you can devise an appropriate auditing strategy and avoid unnecessary auditing.

    For example, suppose you are auditing to investigate suspicious database activity. This information by itself is not specific enough. What types of suspicious database activity do you suspect or have you noticed? A more focused auditing purpose might be to audit unauthorized deletions from arbitrary tables in the database. This purpose narrows the type of action being audited and the type of object being affected by the suspicious activity.

  2. Audit knowledgeably.

    Audit the minimum number of statements, users, or objects required to get the targeted information. This prevents unnecessary audit information from cluttering the meaningful information. Balance your need to gather sufficient security information with your ability to store and process it.

    For example, if you are auditing to gather information about database activity, then determine exactly what types of activities you want to track, audit only the activities of interest, and audit only for the amount of time necessary to gather the information that you want. As another example, do not audit objects if you are only interested in logical I/O information for each session.

Guidelines for Auditing Typical Database Activity

When your purpose for auditing is to gather historical information about particular database activities, follow these guidelines:

  1. Audit only pertinent actions.

    To avoid cluttering meaningful information with useless audit records and to reduce the amount of audit trail administration, audit only the targeted database activities. You can audit specific actions by using fine-grained auditing. Oracle Database Security Guide describes fine-grained auditing in detail.

  2. Archive audit records and purge the audit trail.

    After you collect the required information, archive the audit records of interest, and purge the audit trail of this information.

    To archive audit records, you copy the relevant records to a database table, for example, using INSERT INTO table SELECT ... FROM SYS.AUD$ ... for the standard audit trail. (Fine-grained audit records are in the SYS.FGA_LOG$ table.) Alternatively, you can export the audit trail table to an operating system file. Oracle Database Utilities explains how to export tables by using Oracle Data Pump.

    To purge audit records, you delete standard audit records from the SYS.AUD$ table and fine-grained audit records from the SYS.FGA_LOG$ table. For example, to delete all audit records from the standard audit trail, enter the following statement:

    DELETE FROM SYS.AUD$;

    Alternatively, to delete all audit records from the standard audit trail generated as a result of auditing the table emp, enter the following statement:

    DELETE FROM SYS.AUD$ WHERE OBJ$NAME='EMP';

  3. Follow the privacy considerations of your company.

    Privacy regulations often lead to additional business privacy policies. Most privacy laws require businesses to monitor access to personally identifiable information (PII), and this type of monitoring is implemented by auditing. A business-level privacy policy should address all relevant aspects of data access and user accountability, including technical, legal, and company policy concerns.

Guidelines for Auditing Suspicious Database Activity

When you audit to monitor suspicious database activity, follow these guidelines:

  1. Audit general information, and then audit specific information.

    When you start to audit for suspicious database activity, often not much information is available to target specific users or schema objects. Therefore, set audit options more generally at first, that is, by using the standard audit options described in "Auditing General Activities Using Standard Auditing".

    After you have recorded and analyzed the preliminary audit information, disable general auditing, and then audit specific actions. You can use fine-grained auditing, described in Oracle Database Security Guide, to audit specific actions. Continue this process until you gather enough evidence to draw conclusions about the origin of the suspicious database activity.

  2. Protect the audit trail.

    When auditing for suspicious database activity, protect the audit trail so that audit information cannot be added, changed, or deleted without being audited. You audit the standard audit trail by using the AUDIT SQL statement. For example:

    sqlplus sys as sysdba 
Enter password: password

SQL> AUDIT SELECT ON SYS.AUD$ BY ACCESS;

Initialization Parameters Used for Auditing

Table 7-1 lists initialization parameters that you can use to secure auditing.

Table 7-1 Initialization Parameters Used for Auditing

Initialization ParameterDefault SettingDescription

AUDIT_TRAIL

DB

Enables or disables auditing. See "Enabling or Disabling the Standard Audit Trail" for detailed information. For a full listing of the AUDIT_TRAIL parameters and an example of setting them, see Oracle Database Security Guide.

AUDIT_FILE_DEST

ORACLE_BASE/admin/ORACLE_SID/adump

or

ORACLE_HOME/rdbms/audit

Specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to OS, XML, or XML,EXTENDED. Oracle Database writes the audit records in XML format if the AUDIT_TRAIL initialization parameter is set to XML.

Oracle Database also writes mandatory auditing information to this location, and if the AUDIT_SYS_OPERATIONS initialization parameter is set, writes audit records for user SYS.

AUDIT_SYS_OPERATIONS

FALSE

Enables or disables the auditing of top-level operations directly issued by user SYS, and users connecting with SYSDBA or SYSOPER privilege. Oracle Database writes the audit records to the audit trail of the operating system. If you set the AUDIT_TRAIL initialization parameter to XML or XML, EXTENDED, it writes the audit records in XML format.

On UNIX systems, if you have also set the AUDIT_SYSLOG_LEVEL parameter, then it overrides the AUDIT_TRAIL parameter, which writes the SYS audit records to the system audit log using the SYSLOG utility.

AUDIT_SYSLOG_LEVEL

No default setting

On UNIX systems, writes the SYS and standard OS audit records to the system audit log using the SYSLOG utility.


To modify an initialization parameter, see "Modifying the Value of an Initialization Parameter". For detailed information about initialization parameters, see Oracle Database Reference and Oracle Database Administrator's Guide.

PKH>PK=AOEBPS/cover.htmO Cover

Oracle Corporation

PK[pTOPK=AOEBPS/tdpsg_install_config.htm$lۓ Securing the Database Installation and Configuration

2 Securing the Database Installation and Configuration

This chapter contains:

About Securing the Database Installation and Configuration

After you install Oracle Database, you should secure the database installation and configuration. The methods in this chapter describe commonly used ways to do this, all of which involve restricting permissions to specific areas of the database files.

Oracle Database is available on several operating systems. Consult the following guides for detailed platform-specific information about Oracle Database:

Using the Default Security Settings

When you create a new database, Oracle Database provides the following default security settings:

Securing the Oracle Data Dictionary

This section describes how you can secure the data dictionary. The data dictionary is a set of database tables that provide information about the database, such as schema definitions or default values.

This section contains:

About the Oracle Data Dictionary

The Oracle data dictionary is a set of database tables that provides information about the database. A data dictionary has the following contents:

  • The names of Oracle Database users

  • Privileges and roles granted to each user

  • The definitions of all schema objects in the database (tables, views, indexes, clusters, synonyms, sequences, procedures, functions, packages, triggers, and so on)

  • The amount of space allocated for, and is currently used by, the schema objects

  • Default values for columns

  • Integrity constraint information

  • Auditing information, such as who has accessed or updated various schema objects

  • Other general database information

The data dictionary tables and views for a given database are stored in the SYSTEM tablespace for that database. All the data dictionary tables and views for a given database are owned by the user SYS. Connecting to the database with the SYSDBA privilege gives full access to the data dictionary. Oracle strongly recommends limiting access to the SYSDBA privilege to only those operations necessary such as patching and other administrative operations. The data dictionary is central to every Oracle database.

You can view the contents of the data dictionary by querying data dictionary views, which are described in Oracle Database Reference. Be aware that not all objects in the data dictionary are exposed to users. A subset of data dictionary objects, such as those beginning with USER_% are exposed as read only to all database users.

Example 2-1 shows how you can find a list of database views specific to the data dictionary by querying the DICTIONARY view.

Example 2-1 Finding Views That Pertain to the Data Dictionary

sqlplus system
Enter password: password

SQL> SELECT TABLE_NAME FROM DICTIONARY;

Enabling Data Dictionary Protection

You can protect the data dictionary by setting the O7_DICTIONARY_ACCESSIBILITY initialization parameter to FALSE. This parameter prevents users who have the ANY system privilege from using those privileges on the data dictionary, that is, on objects in the SYS schema.

Oracle Database provides highly granular privileges. One such privilege, commonly referred to as the ANY privilege, is typically granted to only application owners and individual database administrators. For example, you could grant the DROP ANY TABLE privilege to an application owner. You can protect the Oracle data dictionary from accidental or malicious use of the ANY privilege by turning on or off the 07_DICTIONARY_ACCESSIBILITY initialization parameter.

To enable data dictionary protection: 

  1. Start Oracle Enterprise Manager Database Control (Database Control).

    See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  2. Log in as SYS and connect with the SYSDBA privilege.

    • User Name: Enter the name of a user who has administrative privileges. In this case, you enter SYS.

    • Password: Enter the SYS user's password.

    • Connect As: From the list, select SYSDBA.

    The Oracle Enterprise Manager Database Home page (Database Home page) appears.

  3. Click Server to display the Server subpage.

  4. In the Database Configuration section, click Initialization Parameters.

    The Initialization Parameters page appears.

  5. In the list, search for O7_DICTIONARY_ACCESSIBILITY.

    In the Name field, enter O7_ (the letter O), and then click Go. You can enter the first few characters of a parameter name. In this case, O7_ displays the O7_DICTIONARY_ACCESSIBILTY parameter.

    Depending on the parameter, you may have to modify the value from the SPFile subpage. Click the SPFile tab to display the SPFile subpage.

  6. Set the value for O7_DICTIONARY_ACCESSIBILTY to FALSE.

  7. Click Apply.

  8. Restart the Oracle Database instance.

    1. Click the Database Instance link.

    2. Click Home to display the Database Control home page.

    3. Under General, click Shutdown.

    4. In the Startup/Shutdown Credentials page, enter your credentials.

      See Oracle Database 2 Day DBA for more information.

    5. After the shutdown completes, click Startup.


Note:


Guidelines for Securing Operating System Access to Oracle Database

You can secure access to Oracle Database on the operating system level by following these guidelines:

Guideline for Granting Permissions to Run-Time Facilities

Many Oracle Database products use run-time facilities such as Oracle Java Virtual Machine (OJVM). Do not assign all permissions to a database run-time facility. Instead, grant specific permissions to the explicit document root file paths for facilities that might run files and packages outside the database.

Here is an example of a vulnerable run-time call, in which an individual file (in bold typeface) is specified:

call dbms_java.grant_permission('wsmith',
 'SYS:java.io.FilePermission','filename','read');

The following example is a better (more secure) run-time call, because by specifying a directory path (in bold typeface), it protects all files within the directory.

call dbms_java.grant_permission('wsmith', 
 'SYS:java.io.FilePermission','directory_path','read');

Initialization Parameters Used for Installation and Configuration Security

Table 2-2 lists initialization parameters that you can set to better secure your Oracle Database installation and configuration.

Table 2-2 Initialization Parameters Used for Installation and Configuration Security

Initialization ParameterDefault SettingDescription

SEC_RETURN_SERVER_RELEASE_BANNER

FALSE

Controls the display of the product version information, such as the release number, in a client connection. An intruder could use the database release number to find information about security vulnerabilities that may be present in the database software. You can enable or disable the detailed product version display by setting this parameter.

See Oracle Database Security Guide for more information about this and similar parameters. Oracle Database Reference describes this parameter in detail.

O7_DICTIONARY_ACCESSIBILITY

FALSE

Controls restrictions on SYSTEM privileges. See "Enabling Data Dictionary Protection" for more information about this parameter. Oracle Database Reference describes this parameter in detail.



See Also:

Oracle Database Reference for more information about initialization parameters

Modifying the Value of an Initialization Parameter

This section explains how to use Database Control to modify the value of an initialization parameter. To find detailed information about the initialization parameters available, see Oracle Database Reference.

To modify the value of an initialization parameter: 

  1. Start Database Control.

  2. Log in as user SYS with the SYSDBA privilege.

    • User Name: SYS

    • Password: Enter your password.

    • Connect As: SYSDBA

  3. Click Server to display the Server subpage.

  4. In the Database Configuration section, click Initialization Parameters.

    The Initialization Parameters page appears.

  5. In the Name field, enter the name of the parameter to change, and then click Go.

    You can enter the first few letters of the parameter, for example, SEC_RETURN if you are searching for the SEC_RETURN_SERVER_RELEASE_NUMBER parameter. Alternatively, you can scroll down the list of parameters to find the parameter you want to change.

    Depending on the parameter, you might have to modify the value from the SPFile subpage. Click the SPFile tab to display the SPFile subpage.

  6. In the Value field, either enter the new value or if a list is presented, select from the list.

  7. Click Apply.

  8. If the parameter is static, restart the Oracle Database instance.

    To find out if an initialization parameter is static, check its description in Oracle Database Reference. If the Modifiable setting in its summary table shows No, then you must restart the database instance.

    1. Click the Database Instance link.

    2. Click Home to display the Database Control home page.

    3. Under General, click Shutdown.

    4. In the Startup/Shutdown Credentials page, enter your credentials.

      See Oracle Database 2 Day DBA for more information.

    5. After the shutdown completes, click Startup.

PKnh)l$lPK=AOEBPS/tdpsg_intro.htm+ Introduction to Oracle Database Security

1 Introduction to Oracle Database Security

This chapter contains:

About This Guide

Oracle Database 2 Day + Security Guide teaches you how to perform day-to-day database security tasks. Its goal is to help you understand the concepts behind Oracle Database security. You will learn how to perform common security tasks needed to secure your database. The knowledge you gain from completing the tasks in Oracle Database 2 Day + Security Guide helps you to better secure your data and to meet common regulatory compliance requirements, such as the Sarbanes-Oxley Act.

The primary administrative interface used in this guide is Oracle Enterprise Manager in Database Console mode, featuring all the self-management capabilities introduced in Oracle Database.

This section contains the following topics:

Before Using This Guide

Before using this guide:

What This Guide Is and Is Not

Oracle Database 2 Day + Security Guide is task oriented. The objective of this guide is to describe why and when you must perform security tasks.

Where appropriate, this guide describes the concepts and steps necessary to understand and complete a task. This guide is not an exhaustive discussion of all Oracle Database concepts. For this type of information, see Oracle Database Concepts.

Where appropriate, this guide describes the necessary Oracle Database administrative steps to complete security tasks. This guide does not describe basic Oracle Database administrative tasks. For this type of information, see Oracle Database 2 Day DBA. Additionally, for a complete discussion of administrative tasks, see Oracle Database Administrator's Guide.

In addition, this guide is not an exhaustive discussion of all Oracle Database security features and does not describe available APIs that provide equivalent command line functionality to the tools used in this guide. For this type of information, see Oracle Database Security Guide.

Common Database Security Tasks

As a database administrator for Oracle Database, you should be involved in the following security-related tasks:

In a small to midsize database environment, you might perform these tasks as well and all database administrator-related tasks, such as installing Oracle software, creating databases, monitoring performance, and so on. In large, enterprise environments, the job is often divided among several database administrators—each with their own specialty—such as database security or database tuning.

Tools for Securing Your Database

To achieve the goals of securing your database, you need the following products, tools, and utilities:

Securing Your Database: A Roadmap

To learn the fundamentals of securing an Oracle database, follow these steps:

  1. Secure your Oracle Database installation and configuration.

    Complete the tasks in Chapter 2, "Securing the Database Installation and Configuration" to secure access to an Oracle Database installation.

  2. Secure user accounts for your site.

    Complete the tasks in Chapter 3, "Securing Oracle Database User Accounts", which builds on Oracle Database 2 Day DBA, where you learned how to create user accounts. You learn the following:

    • How to expire, lock, and unlock user accounts

    • Guidelines to choose secure passwords

    • How to change a password

    • How to enforce password management

  3. Understand how privileges work.

    Complete the tasks in Chapter 4, "Managing User Privileges". You learn about the following:

    • How privileges work

    • Why you must be careful about granting privileges

    • How database roles work

    • How to create secure application roles

  4. Secure data as it travels across the network.

    Complete the tasks in Chapter 5, "Securing the Network" to learn how to secure client connections and to configure network encryption.

  5. Control access to data.

    Complete the tasks in Chapter 6, "Securing Data", in which you learn about the following:

    • How to use transparent data encryption to automatically encrypt database table columns and tablespaces

    • How to control data access with Oracle Virtual Private Database

    • How to enforce row-level security with Oracle Label Security

    • How to control system administrative access to sensitive data with Oracle Database Vault.

  6. Configure auditing so that you can monitor the database activities.

    Complete the tasks in Chapter 7, "Auditing Database Activity" to learn about standard auditing.

PK@s!++PK=AOEBPS/title.htmb Oracle Database 2 Day + Security Guide, 11g Release 2 (11.2)

Oracle® Database

2 Day + Security Guide

11g Release 2 (11.2)

E10575-08

September 2012

Oracle Database 2 Day + Security Guide, 11g Release 2 (11.2)

E10575-08

Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.

Primary Author:  Patricia Huey

Contributors: Naveen Gopal, Rahil Mir, Gopal Mulagund, Nina Lewis, Paul Needham, Deborah Owens, Sachin Sonawane, Ashwini Surpur, Kamal Tbeileh, Mark Townsend, Peter Wahl, Xiaofang Wang, Peter M. Wong

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

PKwgbPK=AOEBPS/preface.htm!3 Preface

Preface

Welcome to Oracle Database 2 Day + Security Guide. This guide is for anyone who wants to perform common day-to-day security tasks with Oracle Database.

This preface contains:

Audience

Oracle Database 2 Day + Security Guide expands on the security knowledge that you learned in Oracle Database 2 Day DBA to manage security in Oracle Database. The information in this guide applies to all platforms. For platform-specific information, see the installation guide, configuration guide, and platform guide for your platform.

This guide is intended for the following users:

This guide is not an exhaustive discussion about security. For detailed information about security, see the Oracle Database Security documentation set. This guide does not provide information about security for Oracle E-Business Suite applications. For information about security in the Oracle E-Business Suite applications, see the documentation for those products.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Related Documents

For more information, use the following resources:

Oracle Database Documentation

For more security-related information, see the following documents in the Oracle Database documentation set:

Many of the examples in this guide use the sample schemas of the seed database, which is installed by default when you install Oracle. See Oracle Database Sample Schemas for information about how these schemas were created and how you can use them.

Oracle Technology Network (OTN)

You can download free release notes, installation documentation, updated versions of this guide, white papers, or other collateral from the Oracle Technology Network (OTN). Visit

http://www.oracle.com/technetwork/index.html

For security-specific information on OTN, visit

http://www.oracle.com/technetwork/topics/security/whatsnew/index.html

For the latest version of the Oracle documentation, including this guide, visit

http://www.oracle.com/technetwork/documentation/index.html

Oracle Documentation Search Engine

To access the database documentation search engine directly, visit:

http://tahiti.oracle.com/

My Oracle Support (formerly OracleMetaLink)

You can find information about security patches, certifications, and the support knowledge base by visiting My Oracle Support at:

https://support.oracle.com

Conventions

The following text conventions are used in this document:

ConventionMeaning
boldfaceBoldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary.
italicItalic type indicates book titles, emphasis, or placeholder variables for which you supply particular values.
monospaceMonospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter.

PKSN!!PK=AOEBPS/index.htm Index

Index

A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  R  S  T  U  V  W  X 

A

access control
data encryption, 6.2.2
enforcing, 5.2.1
Oracle Label Security, 6.5.1
administrative accounts
about, 3.2.1
access, 5.2.2
passwords, 3.6
predefined, listed, 3.2.1
administrators
privileges for listener.ora file, 5.2.2
restricting access of, 6.6
separation of duty, 6.6.1
ANONYMOUS user account, 3.2.1
ANY system privilege, protecting data dictionary, 2.3.2
APEX_PUBLIC_USER user account, 3.2.2
application contexts
Oracle Virtual Private Database, used with, 6.4.1
ASMSNMP user account, 3.2.1
audit files
archiving and purging, 7.6.3
operating system file, writing to, 7.4.2
audit records
types, 7.3
viewing, 7.3
audit trail
DB setting, 7.4.2
XML file output, 7.4.2
auditing
about, 7.1
DDL statements, 7.4.4
default security setting, modified by, 7.4.3
DML statements, 7.4.4
fine-grained auditing, 7.1
guidelines, security, 7.6
historical information, 7.6.3
keeping information manageable, 7.6.2
monitoring user actions, 7.1
privilege audit options, 7.4.5
reasons to audit, 7.2
Sarbanes-Oxley Act
requirements, 7.4.3
suspicious activity, 7.6.4
viewing audit records, 7.3
where recorded, 7.3
authentication
client, 5.2.1
remote, 5.2.1, 5.2.1
strong, 3.7
AUTHID CURRENT USER invoker’s rights clause, 4.5.2.5

B

BFILE files
restricting access, 2.4
BI user account, 3.2.3

C

client connections
stolen, 5.2.1
client guidelines, 5.2.1
configuration files
listener.ora
administering listener remotely, 5.2.2
sample, 5.2.2
CONNECT role, privilege available to, 4.3
connections
securing, 5.2
SYS user, 4.2
CREATE ANY TABLE statement, 4.2
CREATE DATABASE LINK statement, 4.3
CREATE EXTERNAL JOB privilege
default security setting, modified by, 2.2
CREATE SESSION statement, 4.3
CREATE TABLE statement, auditing, 7.4.4
CTXSYS user account, 3.2.1

D

data definition language
auditing, 7.4.4
data dictionary
about, 2.3.1
securing, 2.3.2
data dictionary views
DBA_USERS, 3.7
DBA_USERS_WITH_DEFPWD, 3.5
data files
restricting access, 2.4
data manipulation language, auditing, 7.4.4
database
checking compatibility, 6.2.4.1
database accounts
See user accounts
Database Configuration Assistant
auditing by default, 7.4.3
default passwords, changing, 3.6
Database Control
See Oracle Enterprise Manager Database Control
DBA_USERS data dictionary view, 3.7
DBA_USERS_WITH_DEFPWD data dictionary view, 3.5
DBCA
See Database Configuration Assistant
DBSNMP user account
about, 3.2.1
passwords, default, 3.6
default passwords
administrative accounts, using with, 3.6
importance of changing, 3.5
default permissions, 2.4
default security settings
about, 2.2
Denial of Service (DoS) attacks
networks, addressing, 5.2.2
See also security attacks
DIP user account, 3.2.2
disabling unnecessary services, 5.2.2
DROP TABLE statement, auditing, 7.4.4

E

encryption
about, 6.2.1
algorithms, described, 5.3.2
components, 6.2.1
data transfer, 5.2.2
network, 5.3
network traffic, 5.2.2
reasons not to encrypt, 6.2.2
reasons to encrypt, 6.2.2
Enterprise Edition, 3.7
errors
checking trace files, 4.5.2.5
WHEN NO_DATA_FOUND exception example, 4.5.2.5
examples
user session information, retrieving with SYS_CONTEXT, 6.4.2.4
See also tutorials
exceptions
WHEN NO_DATA_FOUND example, 4.5.2.5
EXFSYS user account, 3.2.1
external tables, 2.4

F

files
audit
archiving, 7.6.3
DoS attacks, recommendations, 7.4.2
configuration, 5.2.2
listener.ora, 5.2.2
restrict listener access, 5.2.2
restricting access, 2.4
symbolic links, restricting, 2.4
fine-grained auditing, 7.1
firewalls
Axent, 5.2.2
CheckPoint, 5.2.2
Cisco, 5.2.2
database server, keeping behind, 5.2.2
Firewall-1, 5.2.2
Gauntlet, 5.2.2
guidelines, 5.2.2
Network Associates, 5.2.2
PIX Firewall, 5.2.2
Raptor, 5.2.2
supported
packet-filtered, 5.2.2
proxy-enabled, 5.2.2
FLOWS_30000 user account, 3.2.2
FLOWS_FILES user account, 3.2.2
FTP service
disabling, 5.2.2

G

GRANT ALL PRIVILEGES privilege, 2.3.2
guidelines for security
auditing
audited information, managing, 7.6.2
database activity, typical, 7.6.3
default auditing, 7.6.1
client connections, 5.2.1
database activity, suspicious, 7.6.4
network connections, 5.2.2
operating access to database, 2.4
operating system accounts, limiting privileges, 2.4
operating system users, limiting number of, 2.4
Oracle home default permissions, disallowing modifying of, 2.4
Oracle Label Security policies, planning, 6.5.2
passwords
administrative, 3.6
creating, 3.4
management, enforcing, 3.7
privileges, granting, 4.2
PUBLIC role, privileges, 4.4
roles, granting to users, 4.3
run-time facilities, granting permissions to, 2.5
symbolic links, restricting, 2.4

H

HR user account, 3.2.3

I

identity theft
See security attacks
initialization parameters
AUDIT_FILE_DESTINATION, 7.7
AUDIT_SYS_OPERATIONS, 7.7
AUDIT_SYSLOG_LEVEL, 7.7
AUDIT_TRAIL, 7.7
configuration related, 2.6
default security, modified by, 2.2
FAILED_LOGIN_ATTEMPTS, 3.8
installation related, 2.6
MAX_ENABLED_ROLES, 4.6
modifying, 2.6.1
O7_DICTIONARY_ACCESSIBILITY
about, 2.6
data dictionary, protecting, 2.3.2
default setting, 2.3.2
setting in Database Control, 2.3.2
OS_AUTHENT_PREFIX, 5.4
OS_ROLES, 4.6
PASSWORD_GRACE_TIME, 3.8
PASSWORD_LIFE_TIME, 3.8
PASSWORD_LOCK_TIME, 3.8
PASSWORD_REUSE_MAX, 3.8
PASSWORD_REUSE_TIME, 3.8
REMOTE_LISTENER, 5.4
REMOTE_OS_AUTHENT, 5.2.1, 5.4
REMOTE_OS_ROLES, 4.6, 5.4
SEC_CASE_SENSITIVE_LOGIN, 3.8
SEC_MAX_FAILED_LOGIN_ATTEMPTS, 3.8
SEC_RETURN_SERVER_RELEASE_BANNER, 2.6
SQL92_SECURITY, 4.6
invoker’s rights, 4.5.2.5
IP addresses
falsifying, 5.2.2
IX user account, 3.2.3

K

Kerberos authentication
password management, 3.7

L

LBACSYS user account, 3.2.1
least privilege principle, 4.2, 4.2
listener
not an Oracle owner, 5.2.2
preventing online administration, 5.2.2
restrict privileges, 5.2.2, 5.2.2
secure administration, 5.2.2
listener.ora file
administering remotely, 5.2.2
online administration, preventing, 5.2.2
log files
restricting access, 2.4

M

MDDATA user account, 3.2.2
MDSYS user account, 3.2.1
MGMT_VIEW user account, 3.2.1
monitoring
See auditing
multiplex multiple-client network sessions, 5.2.2
multitier environments, auditing, 7.4.6
My Oracle Support
about, Preface
user account for logging service requests, 3.2.2

N

Net8 network utility
See Oracle Net
network activity
auditing, 7.4.8
network authentication services, 3.7
smart cards, 3.7
token cards, 3.7
X.509 certificates, 3.7
network encryption
about, 5.3.1
components, 5.3.1
configuring, 5.3.2
network IP addresses, 5.2.2
network security
Denial of Service attacks, addressing, 5.2.2
guidelines for clients, 5.2.1
nondatabase users, 6.4.1

O

object privileges, 4.2
OE user account, 3.2.3
OLAPSYS user account, 3.2.1
operating system access, restricting, 2.4
operating system account privileges, limiting, 2.4
operating system users, limiting number of, 2.4
operating systems
compromised, 5.2.1
default permissions, 2.4
Oracle Advanced Security
authentication protection, 3.7
network traffic encryption, 5.2.2
Oracle Connection Manager
firewall configuration, 5.2.2
Oracle Database Vault
about, 6.6.1
components, 6.6.1
registering with database, 6.6.2.1.1
regulatory compliances, how meets, 6.6.1
tutorial, 6.6.2
Oracle Enterprise Manager Database Control
about, 1.3
starting, 2.3.2
Oracle home
default permissions, disallowing modifying of, 2.4
Oracle Java Virtual Machine (OJVM), 2.5
Oracle Label Security (OLS)
about, 6.5.1
compared with Oracle Virtual Private Database, 6.3
components, 6.5.1
guidelines in planning, 6.5.2
how it works, 6.5.1
registering with Oracle Database, 6.5.3.1
tutorial, 6.5.3
used with Oracle Virtual Private Database, 6.3
Oracle MetaLink
See My Oracle Support
Oracle Net
encrypting network traffic, 5.3.2
firewall support, 5.2.2
Oracle Virtual Private Database (VPD)
about, 6.4.1
advantages, 6.4.1
application contexts, 6.4.1
compared with Oracle Label Security, 6.3
components, 6.4.1
tutorial, 6.4.2
used with Oracle Label Security, 6.3
ORACLE_OCM user account, 3.2.2
ORDDATA user account, 3.2.1
ORDPLUGINS user account, 3.2.1
ORDSYS user account, 3.2.1
OUTLN user account, 3.2.1
OWBSYS user account, 3.2.1

P

passwords
administrative, 3.6
administrative user, 3.6
changing, 3.5
complexity, 3.7
default security setting, modified by, 2.2
default user account, 3.5
history, 3.7
length, 3.7
management, 3.7
management rules, 3.7
SYS user, 3.6
SYSTEM user, 3.6
passwords for security
requirements, 3.4
permissions
default, 2.4
run-time facilities, 2.5
PM user account, 3.2.3
principle of least privilege, 4.2, 4.2
privileges
about, 4.1
audited when default auditing is enabled, 7.4.3
auditing, 7.4.5, 7.4.5
CREATE DATABASE LINK statement, 4.3
system
ANY, 2.3.2
SYSTEM and OBJECT, 4.2
using proxies to audit, 7.4.6
PUBLIC role, revoking unnecessary privileges and roles, 4.4

R

remote authentication, 5.2.1, 5.2.1
REMOTE_OS_AUTHENT initialization parameter, 5.2.1
roles
CONNECT, 4.3
create your own, 4.3
job responsibility privileges only, 4.3
root file paths
for files and packages outside the database, 2.5
run-time facilities, restricting permissions, 2.5

S

Sarbanes-Oxley Act
auditing requirements, 7.4.3
schema objects, auditing, 7.4.7
SCOTT user
about, 3.2.3
restricting privileges of, 4.3
sec_admin example security administrator
creating, 4.5.2.1
removing, 7.5.5
secure application roles
about, 4.5.1
advantages, 4.5.1
components, 4.5.1
invoker’s rights, 4.5.2.5
tutorial, 4.5.2
user environment information from SYS_CONTEXT SQL function, 4.5.2.5
Secure Sockets Layer (SSL)
administering listener remotely, 5.2.2
security administrator
example of creating, 4.5.2.1
removing sec_admin, 7.5.5
security attacks
applications, 5.2.1
client connections, 5.2.1
Denial of Service, 5.2.2
eavesdropping, 5.2.1
falsified IP addresses, 5.2.1
falsified or stolen client system identities, 5.2.1
network connections, 5.2.2
security tasks, common, 1.2
SELECT ANY DICTIONARY privilege
GRANT ALL PRIVILEGES privilege, not included in, 2.3.2
sensitive data
Oracle Label Security, 6.5.1
Oracle Virtual Private Database, 6.4.1
secure application roles, 4.5.1
separation of duty concepts, 4.5.2.1
separation-of-duty principles
about, 6.6.1
Oracle Database Vault, 6.6.2.2
session information, retrieving, 6.4.1
SH user account, 3.2.3
SI_INFORMTN_SCHEMA user account, 3.2.1
smart cards, 3.7
SPATIAL_CSW_ADMIN_USR user account, 3.2.2
SPATIAL_WFS_ADMIN_USR user account, 3.2.2
SQL statements
audited when default auditing is enabled, 7.4.3
auditing, 7.4.4
using proxies to audit, 7.4.6
SQL*Net network utility, 5.2.2
standard auditing
about, 7.4.1
auditing by default, 7.4.3
enabling or disabling audit trail, 7.4.2
in multitier environment, 7.4.6
network activity, 7.4.8
privileges, 7.4.5
proxies, 7.4.6, 7.4.6
schema objects, 7.4.7
SQL statements, 7.4.4
tutorial, 7.5
strong authentication, 3.7
symbolic links, restricting, 2.4
SYS user account
about, 3.2.1
password use, 3.6
SYS_CONTEXT SQL function
example, 6.4.2.4
validating users, 4.5.2.5
SYS.AUD$ database audit trail table
about, 7.4.2
DB (database) option, 7.5.1
DB, EXTENDED option, 7.4.2
XML, EXTENDED option, 7.4.2
SYSMAN user account
about, 3.2.1
password use, 3.6
passwords, default, 3.6
SYS-privileged connections, 4.2
system administrator
See administrative accounts, security administrator
system identities, stolen, 5.2.1
system privileges, 4.2
ANY, 2.3.2
SYSTEM user account
about, 3.2.1
password use, 3.6

T

tablespaces
encrypting, 6.2.4.4.2
TCP ports
closing for ALL disabled services, 5.2.2
TCPS protocol
Secure Sockets Layer, used with, 5.2.2
TDE
See transparent data encryption
TELNET service, disabling, 5.2.2
TFTP service
disabling, 5.2.2
token cards, 3.7
trace files
checking for errors, 4.5.2.5
restricting access, 2.4
transparent data encryption
about, 6.2.3
advantages, 6.2.3
components, 6.2.3
configuring, 6.2.4
how it works, 6.2.3
performance effects, 6.2.3
storage space, 6.2.3
table columns
checking in database instances, 6.2.5.3
checking individual tables, 6.2.5.2
encrypting, 6.2.4.4.1
tablespaces
checking, 6.2.5.4
tablespaces, encrypting, 6.2.4.4.2
wallets, 6.2.4.2
troubleshooting
checking trace files, 4.5.2.5
tutorials
Oracle Database Vault, 6.6.2
Oracle Label Security, 6.5.3
Oracle Virtual Private Database, 6.4.2
secure application roles, 4.5.2
standard auditing, 7.5

U

UDP ports
closing for ALL disabled services, 5.2.2
user accounts
about, 3.1
administrative user passwords, 3.6
default, changing password, 3.5
expiring, 3.3
finding information about, 3.7
locking, 3.3
password requirements, 3.4
predefined
administrative, 3.2.1
non-administrative, 3.2.2
sample schema, 3.2.3
securing, 3
unlocking, 3.3
user accounts, predefined
ANONYMOUS, 3.2.1
APEX_PUBLIC_USER, 3.2.2
ASMSNMP, 3.2.1
BI, 3.2.3
CTXSYS, 3.2.1
DBSNMP, 3.2.1
DIP, 3.2.2
EXFSYS, 3.2.1
FLOWS_30000, 3.2.2
FLOWS_FILES, 3.2.2
HR, 3.2.3
IX, 3.2.3
LBACSYS, 3.2.1
MDDATA, 3.2.2
MDSYS, 3.2.1
MGMT_VIEW, 3.2.1
OE, 3.2.3
OLAPSYS, 3.2.1
ORACLE_OCM, 3.2.2
ORDDATA, 3.2.1
ORDPLUGINS, 3.2.1
ORDSYS, 3.2.1
OUTLN, 3.2.1
OWBSYS, 3.2.1
PM, 3.2.3
SCOTT, 3.2.3, 4.3
SH, 3.2.3
SI_INFORMTN_SCHEMA, 3.2.1
SPATIAL_CSW_ADMIN_USR, 3.2.2
SPATIAL_WFS_ADMIN_USR, 3.2.2
SYS, 3.2.1
SYSMAN, 3.2.1
SYSTEM, 3.2.1
WK_TEST, 3.2.1
WKPROXY, 3.2.1
WKSYS, 3.2.1
WMSYS, 3.2.1
XDB, 3.2.1
XS$NULL, 3.2.2
user session information, retrieving, 6.4.1

V

valid node checking, 5.2.2
views
See data dictionary views
Virtual Private Database
See Oracle Virtual Private Database
VPD
See Oracle Virtual Private Database
vulnerable run-time call, 2.5
made more secure, 2.5

W

wallets
closing, 6.2.4.3
creating, 6.2.4.1
with transparent data encryption, 6.2.4.2
WK_TEST user account, 3.2.1
WKPROXY user account, 3.2.1
WKSYS user account, 3.2.1
WMSYS user account, 3.2.1

X

X.509 certificates, 3.7
XDB user account, 3.2.1
XS$NULL user account, 3.2.2
PKckPK=AOEBPS/img/netmgr_profile.gif GIF87at4NL|ddf4Μ̚4ddfddfdfd4fdd24fd̚424, dihlp,4x|pH,ȤOl:ШtdRجvKr8ݷA~<>hW>y~Gl8mt@<{hFsyp|=pz}zrqkwÈ?Ź8βuٔ׉}̳wO `89iӗ!D8HK"!fdȯ=u(`k\B\FJ3jg{d^ĥƵHӸ,o`ҧDqիX_Zʵ떣^Ê5uٳD]pʝKݻx˷߿amMǐ#KL˘3k7MӨ)(s԰c˞M֡3'HP`mjn (HУK<kʗ'{C^kγϮ]&q7`w &%^#ld "X$5|g_cug8AZ֢T"8؋,^"i7ʧqM ѢX5M&$IFdSH襒`V$9ζyJn XNzig]iyi:MNy}砇Jog:Psp hz"jebFh螝 x*pޗacsI`EnJꅒ:擪)jlky:Q,{Z뫌~j2{m= :E`D"lP,*n뭿J~ﱜfo40@hP@cR(O1!ɋjY:K\}<:ReGnϖ-YW\` o.=Й X; u\w=z-اmMhSv̦]یfp ڭxr;J7e\᭙ہ_7NxTێyesA[8dl#.y钥> @' ߲G{d n(З}Y~%$<0NOu/(P@>V]аҌvu%m7#^HS#؛B]op،XA_ ic 6RAZ#DL33pT!JXbKuaPD HsͰP,CX̢E.FQ*KPiH2#h6uPh7ptE9IX^4(gES T'a)7je%S@^QHH&&Yi^bq|*UV3c: LffY%5 NrSN TJ\3uxĴ$8sQcSQy|V/:^x6UlP 72w9uc3i^F>yY~Y6n;V=XV3 < lw]BۏѳK4ltWB6:ʟKy8s«X2ҞL3),bSMUko m7J^ju б`kpI[7r^K#I] q578C^[ǝ>i@Ծ݀v'|v'4fFf~,l+vpp+z €-;}L<o9nl8{Vomq:>6/i~rx m%_zI.uAҹ:7N^aþ7]a'?̮oc;S##v'[^}i{.A;w8񐏼'Oyȇ;PK| PK=AOEBPS/img/netmgr_encrypt.gifAGIF87at|4NL,0I8ͻ`(dizAlp,tmx|pH,Ƥrl:ШtJU!SvzxL.贷nߵہ~t~ SB0 ߤ%p?r UÇTbP,+(P5BI;08,1\I_oi0fʟd)ͅ/%*rX„*K~G\{^vbC^ڊO𘚃^wŭom6ue;t5#4ZZn|țN_yW_4"Kf_Ϲmf޼rh[`έUxgtO }#W-/CȬ&Ylu`P7 KK_F^%:АǜwᏀ`R9p( UXܞE'Ny-,PpYNvBq/yہ6]쬇* X EZOE!}`"9/6C9e넏fpit&-dkvhŢQY{`DFI~+Ҁؤ#sYȳgO`&'ݫq%ṱK]vM3 ]R4.(|M5<FI/z`S$:Euӝc"g9(x g8F~v)Q LqNMBІ: v Jъ* D7юz :ѐ(MJ7+s0LgJoT5ͩNwӓޔ= PJTEMRjPTԩZXiUծzգ[XJVhMZqֵp KJ׺u;s^Zֶ_K uMbe: m,d'KYzI.zvGyhGΒiS*cmka+ڒmgqR b+M^ҕ΍Z+꒕nWZ oS+MoOѫ֔/L+4x z,N|7DHu?J [) {V;D!>QV-~X)s+1O,!F0%3N~,eS 2 - ^/ì1پf>|Ӭf}3+9v.=ٺ~t-h=4E ю-#ISڶl3irӬ4Q+Q߶ƦpSUz~u]-kҺֿ5 |]?׾_`۰>q&}6iWֶ+js[-z%J ntQܐ";/E~/PҀI%I cޏe VAvxPlw'Ra5>`Cp QǓD.K.ʼnW= z/18fqk8fM(,iϭG4J| ȑ>kz5mZ.XT}I>h_|(&Wt<.!Q[Ĝg:}:řJѨɻVͮRK/_z͹x:uӽ7stHq<ȃ3>hOZBR2o=}ΒS?:Lr`\ŭJsx;|'Ol_\㔵R4{O{g5?34/'%\%W~'UhU~}%u}އe}zGŁ \"(ixwUuW 'gybVe>GO8s0\)y%xR8tG{Cw .˰󄘗{qThtaUFE(|'Ur;NsvXy@yfDi>U,w$S{DŽ#y wDyK7n)pa(}GhRgzWs4 'yׅcu#xxU {iAJ7Ds'wW|qاdtiJvvȋK \׆HDcU|JhUGghgT؈3U@z0EYrH|W8%v1EQ}ŏe~_QXW]Y<Z UY2i[N8wْ.9 ֐/y8 +ՑLp9B T@9J;9E\IR M4T-7SWwLq$ hbGfK~SAQrޘ;p9% igy;xuqHXznI QYvtT(׋vWPi*Ql )׉mY9'_TI;1YrE՛!zs84狎ٖYKuJ77r1gi詓ORGInX.iةThY 9Y )i\/p&uIҵJJڡ ::%&:V,:Y(2X1Z!u8aʹ>Q@5D:OFzEJmLڤ֣P:[OQ0xDM>"`ǖXxVjiykyJQSe !zrԥps{EʝnZI{|MHN7X8zaG6ךuiŜZwy B*aAQyz 5r؇xs*ئYuqJ8yyԕ!Ίdڬ$9/':Xڬ 1 v皭^՞;ѩ xڪiI積\ʭZuj }wٕY׍롄Ț"jɅuT^:([*ֲ.kn'4VIzFe:<+Q y%&Zr]?[NUUQIKGK/:y"@{"ʡ?%5 oP;H鵔i% 9PU2jBp(t{ +Uxz {vK,+}p ˸;hT` K5;KK+Q鹞{pKۻ5w+srˠY *˻{o}{;;k˫( Ӌk _8۟ˣn {뼼;q+;+Ի+K V߫#Ii[; %nwYV@ EٻQ(*\T-<ۿB6L g;Sooϐֹ9MJV |VKL\|^ܵ)Kܺ `lk\\o 'Pyǜ+R }l[lB9AdȮj,8"9IǗDĄ{ʼn\ZLʥ\=LT\,u|"Lĥ ÉBܻF,' ˮ&z!, 'ɬ Ws,lǚ\l" \͎ P 'ʤ*ͅL+{qhl\ ÜӌPQq|t΁HZ%"#m͔ ?ʣѦL#-6mČHS#.]0 -T| ͌KA Ge\r֗$j=.QlUt].!-ԓ<+g,Ջ׍֏]-|ٵ؋+HJฝ \n;qh>`oĀK:eH&Ҍ}.S~p2y_=E<=&n-V^VH];!PnT'X,1밎pгνj(,̺nK?NVKܿ10ҪU\:r3&MM&>ϙ#8޾ ? oV-.Y;8 aªPϣr}no,TźW}nL;5e{A?:_wYNz.Ny6oaC4%k[$ʭĦN\fߖMt?_n/l?S]GL;a=޹ 4<š?/S]N"Qpڢܹ_v?1N{NŌþ?R2|nycN.Om0028ͻ` dhjAtmӔiB_JtѓJ/hN uԃNMV_gZuu~ vbffvgv}pr+Lw ߍ7z=q~[ xN8džq⊋x%?9ʒOr喻y1o9͞~sLz=:Ъ>t {IN;ӶtK{U<u{|a/t!"$h(,0(4h8<@)##!"Y $#%$ݒ \v`)d~ݙhlp)tihI'|矀a!g:h=g'*j=$ciSVygg"*ꨤjrꪬ*무j뭸뮼Z(hS 5,0pʳ!t7l&lφ"R=xc͹Ĥ..䒋.ӇR@eVbI%!.(ς%l' 7G,|&S,EǮ9߼C# 2a1QNT4)GX#r5(WKuP!$%9$ qJpҕܡ-IjZ̦6MtC5 ex+t4ăy69/ C(t+\X]]AՃukccXľ#`W-m +W5e^zU+ " Demx[DŅ+,.X~km]ZAuٷ:wl䢜5!Ӥ@^"էm|G6\{Uu@BN%( 4ӰYѪv]dX[K\_KV$eK6퉋NxNm?ic2Uh`A YĒ=2qŲX5jod6 +D(t1vAbpӚe}8 !qMeyOr#b mePB Fm)qTm*Q;bLu粆|oUJTW+a95dńA\ῶfN")d]5ϵ+]^/yFq][/͜WPjN2(iYg/'BE h+F-?uFkb{ƽv6b[5=^⃡-EBn 1Go| 5>!!$TkgՖ`@ :rp EmIc\v?6 p3\ْm:1\ܡ줧Lǵs^:KqsV/v;Ӯvss{12ql)F}A H[BǸ၁xwD'p1OK1FUQȔYC&֍܄As,}̆:k s} ]ԯ^0ht۷HٽGozEŵ?~/,}n^OA|x?~pWy iS%9P 9 }\E%k@ VHgPG1  KbB'J)J0) +I1h Ą < Y`H/ 1X̗5*ȂH8 #< EC^H`GgT88.DWh- La8XxT= r ,Ԑ  ኰ px Ppӗ 9Sǀ  H Pa3sp {Ӎ ZB e @Gaπ8nCGD0n` t)h8n YyxY먐9b 0 "iZy$Yɑ.yyя[0)yW\`NT!@2i8HyؒJYKɒWA0@)yX Qfyhjlٖnpr9t "@g pN#~9}@ izЌX 8zG `PÍ9Yy9 (Z9Yُ)ٛ9Yyș By P 8) \ h 茫  kjɛ( p9Zz px|Y 0  z9.ʈ Dp@ :)nO49:ڣ>@B*--" J0 PE GKʤN ! Х^z . ,Z k@) 1r:tZvzxz 0 @ Z j z @ اZڨG  J "DlHq:Yzګ (z @Ċ(ʊϪ#Īz:f:Zz&bD}0 !%BBetگS!$N)*B$bڰ+:[K H ";$[&{(*,.02;4[6{8:<۳>@![{%B{HJL۴NPR;T[DKV\۵^`b;d[/Fkjl۶nprh۱s{xz|۷~u;[{8۸k;{,[;z빤{Kk;"뺴{;qۻ[{ ěۼ2;[+֛ڻ[{K軾۾x;a {Lkۿ7˿<\&+ <<\\{k "<$\&|(*,ћEkk0*k:' ?,H̳#*.,k'{3͵>]BN݄P7 aJ[,|# -4;46[ @nC>EF~SZ^B=Ӑ,ȑʖ<]}Ɂ\`n t~n獮玎' .@-㌾>;\;ʙ'6M~8Ӥ>~A=M먾$+&f~o_~% ˉL4](}.,C-ҞLn־#^n&~\~ì.=nCˎ~N>].& +?M~! 4/*/6/8.({lNok\,'2)N2#%_]O_4O\1$Y r|^*>yX(K /LN?PSU5Keo]_d.m&_w?`_N=ZH?ߒ?]ɾSBv/_O~>?oo/tOq@ $ha&$ȐÆ!x1cF=~Dh0 13$5mĉSK=}QETR>5jKU^(+F.\5ر 6َ~Ypz}+a\Fvd^(Y}:Eg*Wem/D*?/E* C_1FgFoDE41HH<ȦTTFqdI'2J)\#}D#M$H$SrJ3D3M5d*ê K!]=M!8/sY&azty-5Ne^\=8ea7z5eɶw`/ 9/یy;Zl.{͎V뺽[2avLvfeG+c3&V)7'9?Smq^nu=k nw]uCpu}ߎߋ:`Mةjr꼼̗|sgmXg z|[Gg~gs WYƇ8@/~f5~ \MضW\ԵD%ވw0%)&5׉9~f1ҮO] oՎS{'C!Ou-D_`D& sEotG4 ] OFsD"\ & NsT\A7>ύU<;MMu6loV[(:OVںt=0QcF<sl mvʖu~MZ9ˌ-PyK\fK%gV҈.5ȤknXZ3 !yI욓'ʤ{+Zbg2',9SN3PjɁӛD'U)*riXĊHYPVԢ 3\cȢ2 +?,@?$4DTdtA 5k@x囀  x< @T'+2'dBACA B B.|@HBl?&D)˛95*$C,=L>8C%LC5(6 *Dl7$fC+CH0JKD4XACLVSDc8B:DH+C@@3DD&PLQ)\<G:LHa\BH@X4DÊe<7A0E_ Fa,abeChHG> sƐ ErxLpG{33>_BTƂy(DU?,' VAB5T5BTdԯrT:OEKIrR5SETmACTʫAQ[M,SW@HUB]S\%b1%QP*_] VZVcVbm2gZnMRXR95#_eEm8UyujerCsLtne{u?wñ؀؁%ׂDW|H >BVJ S ȋ}ZΕb3Na0,^:5dLNdNdLdQd0>+N3v+\5n7cJcPb>w4LIPȢ4$ɕeDMK_8!_eI:L[u*bJdO>Xopgq&ro&oOd/~gU5>`eƝBHaJ N<fͪ4@$NҽdP&JLEQp\Xu'd lbO6VA(vB8Ch阦隮i^>pVgof:>aee~egX˦I.κfhF }œhcj8%7G.A@'(B'~)l1ŽÖfl>06ȖlCBHtKw^cNj|hNpLms#FFB P\h.έ|`b^d '>^>gD0nnV&'n*l1nÖ(PƂoǎl,|[˃NjRk5hnNo44kFVFڶ&aKF5# $@#""0qvn'FĖoƂ,6oVoa}Nj}NKO$mTOIeg%ͧtoTC}C斀7aK!H%X4_%P$p ?q'7qO^qwqo.84 \ƨ|^D;L(a_>J7dM4> d++4@&5w$p7N?<=6?nAVl)(omЦe[F.Noѱnwt!c(3>xpHsL+//uZ\_6 _vab7v=_qn?gvOl/lAp70j9pm`uvt-QM(T |sM00/\g]us9vagn)w; yHuk.0 xu&HsOx8_x_n7k(l(@&X-j9 ymwWm=p!//{{u48x{n`y~ЏA 9$Ey$g~JxRKFMK(hDN<1YDZ[Th!RnqRAņU!<q+2ѢE p(*<8IJ:)Zz)EJPfxQLX&^clQP<1'va?"N11>0H;-j@=&䦙z-;.c ij$% yPRlҖ Xdj!S+uIlY'^:(V@Lp1o`)!<2%kn> x,lA̫e]Rjʊfޚk:0IȰ]X@h@` x&}6i-*71kLfDήj/b,gv* ")5*?`ո5p>6衋>:m{_ zA੩"%Uʅ|]+m>8Sw'1Wniyǝ2ٓ{=iOy.Vjj/]SӞH-)dQsaC QS F.A#u+KZ6*D&6 ps~W4}q;ByS"0e >%" eL4؞:m`WpK"BP2LZ 0-OQs\&9 Bl`bD6HPR}HA4T<.}pgK|?mó!S?!YZ^GkxxD&1H,Hf ˆܥb:OTkI.RR~,پؤ4D 6Jр=+hleXR j'0)O 3RLwe%W7 E_4c<鿞HP ǎ9cN>FpYd ( !HI ҃Ԟ<]|Zy jfa~Ik~RDw8TJ.cI^mJxqx?]Us#S&uMfÙ,X?xô&E#«wq+g\}`Mn}O7kLWqJ(vlT5ԅxΐOv$gZkf9'X̮slMsˇJu? R{ o&}1MdZpO3yj:VX޶)]YJT)Wt5WB ΠnP[5 Z:ogmFs՛tWXLVK-7T^H_.Ο]1S[U'7dvmc߾1;k>.8 g8s r櫕ct>\Ɇ1lH-o_b=wmPN!hQ}{=A]A] ̜{_EU_%YéL Z3MQ߸&9WP7Yw` h!`[}t@aՙl@mpɡ=A1\`RR-eʭ !*})a1>݁t]A Au5MX4`IX[: Y(LU<V"ܱ^" 4|(5Vht 5!ܴAQ2IW|dd/R@0ΰYycՠ ``'>3!i#*C>$DB$CޗY>bc+&$Dn8ɯH:J5K>#)Q% @'BP.DQR*DFANu]S\FhHL= KBKW\GL)AP`*d%] q!˴AV =[" %MHĞpXVdE12N!@&@[ %h%Q%i&$eA _%0"9ZًH@TA_yمҌL M$gehi>'t j^V'_JWNb9N҂8 4쁡(Ma`NڝO~&PsF'~gL@fubg8n Kngty#.Ԉ1zZ rzfh6꧇~h@Tjh+wLU$ġ_e`g41!(ojp*#r"R)^zBvʁ,mڊN."☣Nb(hg.*jPzk)DyjS_lpl /٭*{hfOfe] k B* hlk$+4U)i'9F#2jـA+֪ImZ!6j7"A8f+&M%ţ +65X?]hAkPAb0DzmC|mjזm<%,C,6, Al Ve-U A+ɍ!RMf_2Nv+B\նآDHAPnmArZmI Չl^D+βkT:Hx& zfNZjf&.lVJn@@FFAV/ f-jnZv-n"oAp1q9Xm੖ґ6DͦV\aJi##$j)k۽@n"./6owoZc0w0p{0 Қۙ1]ݚ/EYY2D͆ hbƏژ.>hrMk@2md (.JΥN0s0j0 #/p/0U͙l1Vf1 G/Ḓj"#6&>g˝ޝ D-Sq/g2نn w_r.Zl)ކձ01a챹ƯN "ϊRlA(oz) g@V#A&. ЁLr%c11821 Ra-/-Ӳb, .DkJi2("  W+A^ , P22Dn0092Jg:k.*JoKճڴq-˰.3-)l2p&L) n#35+@ G/J]rjn8W/vJ7JrYoX2(s,0N7I-[O#_k2h&u 00CK+#'d#_ @ \5V Hq7kl!2+Qp^^2&PoQv+'bюa4`e `u pGWhvE`3f Faci_kR$OΗfc4?Sv^(p$7V@ssukwl3BkBZAh"&t!6vT?V^r tvvs˶罶E_609D!Rex&{'6Ѫo/1M~ӀgV[1ˁxi?D@@S0"n8c)4-Hc .[s 0 psoyLf]_+vxdN#J ς |gz6!-I5`~/w :sޚκ:o_A A$}d;zdYXaJOKHXLfy Da+qMC@ (7OW:G;ߩPx-AeNf[8;c RI+E *dO;7/7P8l %Q!f(&yzyF4;cC;+%ȳ|6z @l$x'̏7@m+38aKH/b8QME}pJT˴o<_}5ּs\< y*JL@ S}<=//!wx n-*/#$>e+l@G D@&?:C~ns.1+6(@@2'U4QЈ"E I2Qɒ%Ltb˗/` AD 'KDiB PĔ9E7qԹgϞ|:hQG&UiS9 }:jՠQfպkA Q&6mΜysEM4Cʒ$4qBe ,Z$V|oǹGyR;Î-{v([q9S 5<I#E.e?ereb2o&X`… :"044R54@`f32 `mxzA QG,(MLQ8q,:6ht+ܰ+2& L>棏20ӌO/]HE2\W/ < fшH/Cī`G]BUw+3-X͝gzͨ"+NL:-irP ^= eJ'r02PwL]W 4HZq[ƉWd*ͬ]eq{q%c"=)  bAz=, .cQ-GfFkqU= jdɥֺ-YgйFGӁbVk*M$ ӝ(ئ d"|a2ئԮV\l팛xՆp'G31Z,S/=VۚzcjuyB슱l ״3a56i^b: `% =U/؋SN!N{%$rɯ kdkV`T\f,Y{zͤxڽ0/ `2K3|S~ Zm \K ziV3=$^`*DARf dXkzE2RTЇ&+m`ȶ}|At[Y-xSo4J>|i/>5ayq%)ƴ1|>˽@S V!`𘎠80050oxK }`fc`oT/Ǐ [* & %q 0P`@+[d Wp]jfHk2"Q ).uq/ 5bh:EH R3Ⱥ0k$<i1 #q1d儂2161:1|,Y唚(֪fhJlݍ Ǒmq ""   pUM3`V /wxo!k'$2Ozr'u42# 7 [PT }ne2!} '!2~N2,ߤ/r(3q-q;.zDKrjvz,1oʒ1{"2(a#k{P $E$Npr^n0ak3u,s J')v3af9r*aX 382'2&Q03o3?i$*p\U5&es6Dfd)"'pʀc={)kZv3P798 -b-cBqg`21B1$e(KkR^!06g3(S==,w(EEWԷ+?ivkwڨuNwsiF{GQx?iuFxhN(S'U>⑴ TCTbJc2eA SǴEBYmm%gU 3*[[ wZi\I*.l*i]'U``d#.AQ_*T3DCCJM&w &s`6Hʏf(Y7PtkS bsN/uklkR1=[N't0,E >U+ Ifg*&Hue`Ϊ@l _THCUVq5Cu fjCNTjdM6I˶vuնR^FmWe%fx+xEP5+sf&4JkJOUnQ<լr3ep jn. 3v@a?=ɯb)vRLSib%5wT<6\D,q9 KwJwpIWpk'gr|@vZ` Or SS o}}vR~t@* ¼֍)h\(= :31Vn6uKQWe]7y;'7^epMu|`}_#:MQdmgl5 t wѼh~~9$AdlX)@)6uD6LUsbyy `Axzzx'⏯ eIP 0 th I9y=C`ٜ*>UDGE2]X^quٗXc "@@p xw,&umƙMȝԤ$J vYY9s)uw}uyyf GpUmPzx:x'lťa@^g݉DXi:Ӛ9AznJɤvmk^~H<8%I򪏓%^zz1qɚ̬gպ=Z?۳zLhkܩ_`^L۱x}w[l6%۞cڲ/3[C7;}y^{;l[B> u;{Wzu_d«8mc;U[{ڣ񛩿W<^TS5|)jO;z黾f1ŗa|o gwݏ|9~*p;1Ct69^(@ `X[dC⃅y[9:C~KEK' @V&ݠB@6XIm,ϱF&}7'i[֣L*꫾>"^<-y~(^Ǿ>i'Br0C^JWK:9~w^J5^O~`#6ޞ#t'?TO/O5mA_~@LLBRo3x(H"Xus`^'~ios5S _+`\pQw4)"oMy)d*SmYJ@@ $ha |1ĉ+Zhƍ;z2Ō 4̙4kڼ9:{ 4О=%:- "$=*2E!4 e(aڃd6dAf\.۵*mDlϞ afj} ׺ :the[s'>:%Dƚ1qھ=4E9\}UC $/ab ;X-5njbYeP4ݴ7n7rw1,>o|ڷoJg'`\s]>(C1HaMk)E}n"\G=0r' YAsY#Yg]u\G`[}<Zc>~V X}MV)h4^Cqu_A^gZnJfn>fcA֡E N#)To&YP=b(ooNgEԅUvYߔN~iM.6P^I*j!z棣6%}E ZxaI=Qfsr8wO>F:GWYD)JـHj݁{7`any-jj;њ pë{҆ym:uln,T%(q/}5Wb v+۵%gX]3>pW9nC;yMPOİ!Kq7ej`=v%G64zR/,)}%XbE+t*X޷ޥ]vݗs?Mu?Z`vyˇG}yY-qim{@0BUZ5cRJ{P& 5;^B$ZGY^_/^k>`zzw͎i6\Rt& 裓^:!dAfo@vb x9*z"WbGxq`DiXm|g}x/^҉ |0K~@//~8i*2ޜO?% @_{_ M> X`}cz>/ x~ 0K_`T>xk|!SPH4w@`3t?&Ac\T@}~-w}G u G7{S7P'-j}yvg֗ٷ5uT27d*aAvw~燎#(V&gx)XN+R8(g/hw2H"h"4t$y:T6ׁ0HFdINׄz/lvw:X|k.s^^(+KGa}7A.Wv xh~0> ~Y%{V"qh8Hh!ZȉxC8XxNhcׇwz>cnx }_q( aHҌX5F9\YE]xhwHhx:p؈{VhӨ8Ո8؉Ԩx )8Ix\\q[2]c %`QG~H;ϧ 󈄕Uui ?FBI9ByL?yV)Py 9RvgB.6_S`v%’12sI`237 ѓYIxXٕU K)8x#586baa3jbvk rmo)6696kvz)|Y~YɉI99Y\i e% SveeTevy~gh:;)@7iE9EٜMYIIIxZz6C&ddv) ~rDwgáY99:KٓəZ9*:ژIyj>Y ZjjNoiw7k wt~Q6I6 {)AٟЩ Vi鉌y8oZ ɛ)z_\Q@i uZդ$y \t&oR^psxH9gEʋڨvV@qsq>GJdg^4zZ0AjjtDꫩ m9hʬꬍ D4ujڬ譁&ٮ4jRڭUuX*|hګ qJ{}h K0ư}'w+Q;C;X%{)K2۱51ut9;;3I +kG:kG۳JK0FUzgZ\;_3hW/ e[]s tkpc  ftgq{%Ǵp[[rDAX.KK˄K7밚k8ٷd=m붧[{[ k[H[ K Ժ 뼩DӋck+ދ[ʸ)ۼkϛNƋK狿 B;˼;\kyrM%  L!%;\ ,/||$,Fl0{ +<,?ľ2BZҳ,,**9JrǙU l f]1v& զ>{K]HV3-؀VH*ƛ=ԞKnnnAqR| 0Nn~t.6E)$fd!4ҏs-Ǡ7-Sx^d=ѝ| W_ Ӣh4L1|bmq"_poYl(F:M-tJ??6 d:ژS W@O򛝢I3TO(MW`_QOψ؅/+/p ][_.?IcE KJW񗡟__/oNDRer/oN/|5/8_|mßm_2?JyoOIiۢs ` $X \xBN,`"E2|qF3h$SdK`--Ό@}9PI.eSQ"͈ԩr%խaʤiNi\hִqΥ[׮˶L*Z^w & zi}p@@+pAA#/AB 3pC;BCqDK48OTqE[tšRqFkF eqG{trH"4HfB9$tI(i2J*rK.2-sL2KTsM6L,ܔsN: NdfDLV,μd܌t||\Ҽ[L@ q]WXf84FMS҂m\[C5@,dJ)DBͱK Ъwbq=XD]vn6Ƚ u]G٥SmZm.ԂW}X4yrGT#⛧S\R0:{42-|sYf7n:۪)8o>LpܣxL >ț;:rN:]T7NuT#JJ.}6 `u}0*Xn& ݌+&6蟽H X xl#\P&;}Hbxbħ=:Rm5$*F,Ѱ5ц` cp(''M)ئ41>0s#!F1"#4 %}d]Ȇ rt!FJd&.T%1?qm% d>R2Q<$a¡VRC+gI@̥.wXt/OIb)3\f3Y3LhD̦69Mk girKȼ9v%`p4y̧>Oճ @HMBІ D'jIEpF7ю") HTPUt(MJ% ҕ=*hTִG75?s#0 PSSԨSlT:SȪ=QQu` +@jԯ2ɬWuX*UyFoMVU(kͫ^DV.{Mi[jWڴFU=,b,55,\+Z|%,Psٲn>mf+kخ*Ut,f:.֯g+ի-iWi-aq[v8 mAZ泵=p;ٹvEqZٝnxI]U.A-%j6UkNk+6/okXjM\;^wYM.~{^ o La׿Vpy>lmda. WavXus+bpdJYةmLQYNkZYL't,{Y]v\-3dNj,)uHTՍr5j@ Pz^ӯZG%@Z 6=&iS{fOhp@mĊ XMox~\ZmlG] @Jo0.aw'<̻gG(g ` `n/o8S{9m*c @ dXZqu;]19σfSx#).x V`D`aNq]YvկNw}\D`,8AЀ+1wxw~^Qw J``kc:_]9MN 쥐^z3꾇KVȿMi=M }=?ۑ9ѥy='W { `@h;\wQ?~Sg& ֹk ,|VV~ɧ}րwN8xuixwhҁ}#8,Wi%8u"Th0y5X;$6x0i5> < @QFH C HфN K PQVȄ48 !  !@ XQfh S ll 0 hQv( k 0p6 )h  iA.Ah3 { !y7`X X; h y"Px xHHX!)،dg{ (Ш88܈`X Xpvhè>Q؏8 ((؀X;؏X v7x iٍ()' H{'@p/yy,?I1ɇ78pPEAْSy3Gɇ~ДN&&ACÖki`(шx[Y p {iz9җPZ3҃rI & S ,q+Xdrɚ=7v%Y&Y씛%ym2kF6in 6oG)wyXF懺nF}ǀXs3' FާooYԞp7D1'x}zY>yᇠSd!W GǠ4w szMyبt7n|@j|w| $:iW} xI-:j/gwJ@whvt7Qx #4zy|zN{)rcJ2 Z4J{59xǟovtfZhڡXg4:|^*}ٟtjWsXjuF:~j<*qx J6)Y)~`%YꪹTaNjNڢ:ź;.ҪPm֚6pyڪٺ޺⚆:zꪃЮ:Zz;PK+ܡPK=AOEBPS/img/ols_auth.gifMyGIF87a?޵kkΔcΌkƔcc絵ckk֔kckkֵkֵkcΔcέkkkkkkkΥcc1ֽ1cޭc1c޵ε11޵έƭcΥޭޭcc1cc1csc1s֜ƭs1֭眭ƄcΥcc1ƜƜcsֽs֜ssssss֜sssssֽss֜sssssssスsssssssss֜ksJ99ccBJR)scνcތs{{Zֽ9BΌkBJ!ƭs{Zscs֔sksR{{{Zޜcƥքkֵέƭƭ1sc1ޜ1sޜc1s11c֌1scsc1cssss1sֽc1ss1Ɯs޽sƜ֭sc֭cΜ,?H*\ȰÇ#JHŋ3jȱǏ CIɓ(S˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJ*PVjʵׯ`ÊKٳhbM˶۷pʝKݻp˷߿ Lˆ+^̸ǐLy˘Tff/ Y>~bFk_ɀ۷x6ܻy [q/-_jСk-zֳG`{x;ɗWμ;}jb{'LgT SgtVX~fXS ʗzx =xTN=a(bv5aݘ1ODF݌H$c |>VE)ޔTzgQXfۖ?Xdt0i&LK)`^llzm6pu~>cyI (~@_AV(puD٧t2)h杕i*fɩOR9MNCxit%ij뭸뮻:++Ēm{Ҫ*jdfmn^m-Rf-+/kオ;ۢ+a pZ;.J:)'pĐ- )1R}BL1~ߝJZ=lFڥb6_,+<&93$ Rr%0{2?NŃ<L0}Oa X:C `0 Kœ*.̡Mؒ @/Aip@( aREk#;AF-axCo;#=lqبG>jq\d_с=ҏl )HC2 qv#ad#"hId0)f8q F8&)Jjc,MvrCIɍ [`!T .\X"8#MrR MpN(΅{ h>V0 36 u?Ϙ07Jrt uhD QT¤ASyvCXJ %]+5JPy4iBYY p0iRƚUi5cM)$ 0xbaj \V3.kSʞ|s_kIowabXq&gܪKn}f&._Bٯ^v\g;ؗ$VmeJYjvc#Y)X1iSƊv k !ќmp3[X:T'P &dAؽt,#ݵ^ 񞅯6#q?,Lo* |/k YBor+P^pd;RO=o3,֧Ccѿ {`E'n,}xS9w5;B:yN%FFc'_:Ј4qr|ո4JjKZ.8I l(:&Dp \vHЈPdH1viK01`AD.ݴxVH_8xNJoo(Y8+&bHNfXбi80ኰT8TiHp8XЇexchD*$cV愐H ɐ~hNtcy8PNmy{HeO!)"iXdA!$)I8iY؋.Mۈ9vAi86Ao( /y]r]+)Z Kҍw(< Iԍ&!X8}(`(^oHMl5 N[9"v/!9LTt /!rɎ Eigi0ANO &>y ҠȚqP'#; ɏ hXiBMvA$1‰0ə%oą^d7O`W(z2⅛h{mYEQdIEVh$x㙠'#(ʍɊ.hyx옡IHJ ڢW.20:6z1Q86<-*#2DZFzHJLڤNPR:L | XKZڥ2ɥ^>a Pfzhjl+0 3;ۻlށ۾ ۻT 6_˷|k̯AY$k˳ߨ2º -ܿ&VJ0 :FK" G@ 6đDULf[vN˽K7 Yno{m\Z<#_ q , `\Ȗ ~ \u m mAk1Ȍ%IȦ¡\' 8ʤ/L>ʼzʼ<0  ˸]q̷1ǽ\6 ؜ڼ, \δ]q,Βj<* |< IS<w!M Т<}o]m^mO =$m=#](<',<+09/463]837<=0;@-?D=(C]Hm)s\Dts0{ >VP0Q6aL d-Im ol8CN jb_`PIz@]lI]3R{vj[Tz֔-Mms}T{-ڤj`  ]Ptճ4-ڥx 8շb۾Yڲ ۶}בMK-I3E wlڜ->zpw7Ap}ۯ]3 ĝTMPݼw\}pxMVؤ-}]Ֆ gm}U  7Յ-֤"?]s 1.PmZ2al[VǍ|֏P| {mU֤]PMٔM ]R uYUXmY]vdLSX߻.pN׷lv{.rAnׄ~Po'8ؐlS ?SM}G=pA~٠~wpڧunE31؁-Yۄ^nþՔ8>lR>K>3T ثA3C,x 2gͩ]C~|/7-ۣmwp3՞>Ք;P>Ղn>y=k;.NM>.^4S?>3> /ݓp]WNSXM npl _1!` g4v.ں6=MfCo?g^Z] >8a﷞f]֙~nA!k_ޝ$n~M=@>mS/ozOx42Ձ韏/O?֏z/O1߽Jr}Elj}>۟/oL)ڃ˭J DPB >QD-^ĘQF=~RH%M*J-Ρ L'tf:)&?P*tKM>UTU^ 1eVViΌNJ|s<}*:6ه7܉6'?B<*hў?FXbƍ?v_Z' 5ÞLҝu5B e,]ʵmƝ[n%nr[̓t=(9:((eΡ (سM6x͟GoEgiöMѵv50 DdA#"dΐ;m&> hqNDPA _1FgmB䴛~/& GcbnD%ǺHF+2K-Eq˩ :+6 p)p/F>/3O=rO?4PA5OBE4QEe$C4RI'4G+4SM7崼K;5TQG%OKE5UUWeuS[5VYgE#k4jڕHZ6X-mUt;2|WaeMt#RYkŶF83ຄpe:JŠO06^y] ZD4, -D:97 =kyF~ywy觧Y>{Y׾{I{4|G_Qg}? ?'@C`8T`(AR`3xA v4`(B p& A8B'|a cB6!ixC氇;a8DqF!ωOR8E*RHUbsE-vы8(gD͘F6qktc9юںc.яd"9HBDHFqde'9MljgBgwOt4''BL}CP<҅%LaAivԥE(ϓV(&BgwnҡK9PҴ;HwKN:=W UUpƔ_V:NgEkZպVխok\:Wծwk^Wկl`;XְElbX6ֱ|eX:YIW1YXj}eA;ڿŚiQZka;ۡyElq[f閷o;\X Mq\Q)7!s BPwjH, wA_*&?RL ^Z]v]*I7Kx=\M"&&kAR$ f"-#LudFzKAtxEe$LLrK8+i& fjkFaT;01 _7"vӍC,ޢ8ɦTq.4+јx±sags[ͼ\)nIZR4Mۂ8r얛ی+>`9D~]tSíq"]%30)1l[32 hrA<ȉ x=G?yY|j)a~Wheƥɐy،,pj sjF[ӈW_l_,ANx]Uc{ҵ 0BG)BԊf(cn7vlc.D9#Y;NHa߮Vlj}/x(jsO~u^w+nBR]Ɍ <˷DC3Yc<}K3'f32s.#LiL[6CC.9݆!`'miSS4Df|33 },H ?w_J?ko!ޙ:iw9Q~¸cw؉wF?a;ipذMP4dcjU=sXŧћȊTS} GM>VϘ1?7A?Q?K>B@dFY@Dy@K9 k @/+į{.[Û\\Q;%zbA<@h64hBAPA0й뀻#6o鳈&*4>S" s1 .21X ӱD1,6=x%>T74C*q0ID23>(3C3C 6K;)>G+<*Y4dw94h3LLICGH3WA:дٲ+˼_TK6UVîf6`@AI3z OGEyC1DKӃ ̖T#DOdOP!BYIyOndP%NaQ>,Sv=VZLv_V`H>E. `b=*c6%..~#8fjgo^cR]\`~gxgm_.r.,|Fbvnbhc^fÊcj^c>2N,laveNiF+_3_r&i>&d{~] tVh&i,6eixcVz+Ofbnn M@}off`Xc7j(Je_~hk*kn]v Ta76j냆c>]`}Rk^߰icnb=V .b>5g2(U`+^떶vhffh]nc4&f1cƾriۍ#bmn^6vcgtց1`ezmlٞ㍦g+.ݶ 욞^kv]Nhn~fr:^>+_vΦhɾŠ〖odLm~fw-im p%p`6i vf lNO.jmށ pc6g>.GΈ'7.,'^4^1Lj2wus5/7gx;3s9:<8@GDWEO+?HIJKLMNOPQuH'SGTtSWVwuQgWYtptuZ]^uU_Pa7N/cWZHehvhiWjclv[7t+pqOm'w]7stWWdH'I'8NvO}6 P{wvvvGr__Ew(xtȀ~ux|tuoxX?^WGyGfyG wtx_yRJzTz7zdOu_zYwG@|}xJz{{zy x8x{7Hzww~G{XozNGgZ|``'xx/otΟzG{y| wzzxҧ}y/kwקx?gHƏ~TwWب'|}t|'_w~xggy hO~H&|!Å hPr#Ȑ"G@$ʔ*U\%L-cҬIS@:w'РB-j(ҤJ2m)ԨDdD$2h`@ FTkX Y72,T'@dk7 U{,X,XybBB'I2f3s3VG.m4ԪW@4V 6LP )m0~8rw5b}kC~d⹏/?g׳oףcGl c7Kw@~} W@FPte_B Wc%ПyޅWb'h+|18#58|VGxG{QA?Zta[T@XaQb9^H 6V^S@_ Eq ' ιYknצgg0x'ygS9J5gg_9()Zd"*'J:~Fe:r$jhvRz* P*ʺ⫳gkfꑩ+klǖlkJ;-:%j-z-;.{.骻..;/ڋ-{/ <0|0"0 ;0KpU[|1k1+1!<2%\'2-<35|3Χ3=3!4E}44M;4ԫ-5U[}5Sc5]{m_=6e[i6Ң6q=o}7y{78n+8O'8K[~9#WS1xUd>:NV(K0a:N):i9E!E \;X{M8NY^kowOtP?>{=y{__??T>(oz̋;{b02 w>),O#^u _bC^c(üo} ꏅ'|` sB"!6v0,CH&6\!#8A)PT"(6&zuc 9ߕ{4c׺#vs"N3 q7,jύzȤ5A\$$#ٴF摒$&FIX26 Q2k2ӽRU|%,c)YҲ%.s]+(,%0ɴ_ 1e,|&4IhR5Mas& qSi,':ys&;)y3'> ^ ˀ -h+/!AjJ^/bE?ڮ]$-4/.I_Jt\4iTJ-΀ ]=PuT2]7M t`1 Zf+KSSֽ \?ՠ++ONk* a[cMZ*X˪2* ΀TĠ ,_:V^ժԠF6^nUeY^mlhipr\O\5cӪ4g=^kɪ6[V+F; ^EWh:չVAWxQV&lElt rsTTc`]mm?\r5  z\J%B|e{T[c ײ~׽Z{]@zu*|ܤ7YKګ{բ"v=.^0؁8\]W緣 WTzN9K.rPazrrVrh͜Tn˄Metc%VV%jnWӸ;3Ve;OUtWUU310<9M(u@.Rz)q/R+ /%]}ҮJJ&4VWLҫ`2fj__ZY}@w.8pGmO4ي*izwm3Z벞.XoL2:`qag+c!g960 h鷿0bnMj22=3QJ*dgKe~s?ܷ>F_QNJ>M}{䟔/ӿzWI8K* ߝ% 0`*  V 8``ZLH P  h` yx_`FvD~ F`D h` w`HzIF~ g!L8!zF~J~J _RF !M`_jV "El| Tp H,t  Ē @!eX%RbAda}0@ ,H""X4",DED)`P\p\,pthb%bec0#'vb{ BtFDa$HDXu,t @q\a3RH#Rcc020bb1V'ŎhW`n<n87ntbNtNuFNu^v*NvnwNw~xMxyMyzMz{M{|zM|Χ}^M}ާ~QlN# E 'M PE u&(LtPPNh~('Qh|yyhːNOh0N$B -i<)E~)O@Yip)x)il abфJ hΘ.O (x6&*10n{=>4N.}MJԬU OOPX 5)mJ_zD.X"oV8mNC^aQm__sr:)Kv"6Â-)2vܵu:6Z6n!,`cX’dog#TiKh_jkvcvnmlanCfo!n6( m7r qrGr?JFf5 :eZK0VDvS0` hFw$!z_uSU vlxDXIZ&cwa}Lb]wfGAw4̣?AH~Op8f8"Zx렆dz7L@!Z&@~cA4FGJ#b Y8wx\\w@y8!\#b,"tg%% *841xI:-wb%>=~EP"D"oP"tcx((Q b.kw9epŚO9{sH#x:3a7_`mx;~EnHn9p`#4zqL$bE8w`d022O##N: J2.5:ϹL@w+Dc(: ţK %AB8^lr] "69/㡲buPzQjdg|2A5f#G[.|s9lwkdp{[{7VǶ' ;F%CTo:ABbs:~hq0wa}߅8cu7;M98)J7yjX9?b^zHx D\{n_g{=2>:>(~BRZ~ J'csz 2=3d鏠V"t7?R쇆ܧݫyxz{8{{NK|I̷w~rR=i[=J11W}J| >׶~8W?!_ky+8fEZFDZظ$S>@ 8`A|@q`B ! `8qAA9$I%QT#BݴbCkȚQSN+W4Ҍ[^ 4ko߿>U·F 2lv@ڶrcH[7 n^v` uǗZ~1;@xݫO@P@/& @y+ 1P *#hj:K Ŷ^;Fڳ. PH R7I1h (YCRIfɸԭB S1ɄC@ R[‚V[=(8p OLCEQJ`7jsA*sKsQI--Mf3 k@ 2ڋn{ STD= " 4ښ-Ŕ,jYbg{u5`v2QO-s%*UV5bcQ9.Rρl]mh&](`ōڄQk7K1x$! މX-\]Cx[c/曩$y*Y%p.Z5U褙秡)ZfmZ됬룿{>.[jZwc~[nͮѦJ\ /O\o!\)1\#M{. M/aPtVguq,Ar=߁jj=ojxgy뙯vAr#CS%ZG?? տt|B] [Rp?c)SE`*O߶AЀ-dV GBN5 <=HCR5GJItCpGHp(GqOxś`jrsLp yˣByWGExY@Xॴ%d!8G)qQ.)>H?|L"vmG Nmhb+_iQE Rt*'bKQ⦔tDd 2:Vͳ\,lc$^cVe42gIm8 ꌈIYA+hsa:AcXz8g AO8ގmTbu% ۴h0myz1~02fl0V-82(vT%PvʗϐTH풕DhTd#fCrƆSѤ(0V8-MaR()P*XUg ꉚ(RQpPպȣ@SՕVQ\RE}N*zhA1K\eŕhUrYn2VA6:XfPеi[cJXbhr0PR0"x E|K ei^Tƕ9@:d_yTnAO~E^H\1j_nk20lKȺR_`W0m7`."ᄅsbYĤ0Q>,b#XbqTbC܍qc=d!9362j,XJL֫f#Oy*Iʒ,g9f\>L+`^ߋlͿsՌ8y\tn^,ުJDx ZW$%@U %69WIqޤS@B0ϝERDPOa krp2?dߩZ>섧 kBlrӽvʛ?O]o}]uY0.{wF D_o[)&]S/)G4&ʽN (M55"oԻR %}G#26Id mۦNyZdWÞ(|yhx1^qʕÂa0Z2 55hKy-cIsj_)9mnM^RtUW|؁Qs f5@V颞R :uyuIܪ>U;gơMmB}SVeB3nuп6f^utL@ d1A3 >VKizSIU䇺%{ R5_k] o(I`rG"Rlf@tG) ]{]=o{G['Z|[L[sѱ$})&f >mc\k` lZ oOb+ԏެfnEiW̋(.+ޞcNEþˎ܋5QBc.() |꫻00}j֒bp ivp -C 5PMpbMahp  dxheP ͐fp?BА%gtތ 1q;g;m$-1)19=lAqIMђDUqY&]1eqi1eq1uqGy1uGq3P1q 1w qɱF1qI1q1q2 r 2!r!!!!2"%R!;PK^k$5MMPK=AOEBPS/img/login.gifgGIF87a޵ksJ99ccBJR)νc猔s{{Zֽ9BΌkBJ!s{ZsƭksR{{{Zޥքkֵέƭ{Jc1cΜccc1ccΜ֭RRBBccJJZZ99ss{{!!))kk11,ɨԳI&4YHVQeH+'Nr GS]PKU3n4)J˗\ʂ f5p6ܙ!(-VȬB(2cfh/C% `qjX* `t9sVos|e洺sW˷|J 4X0B{M+/RL"VRQ\U5kҲ)$fEtpL\>L:+>~\(ŕ )׃Fh@dBM,CZxF*g|Q^F` ^D@ZztXH \h _E"X|JBy} ƧS[[ڥᗺpEH$DE>^1"rځaAFhJ`p&nihKhP:YVe)ryv)? F؅ęif](e`A#Xjg)TVk1eҧYߒ>;$e:@-W]QxbfZN+^l)ژt"\^ʭZJ0V.qä|jłQ8jBOVxTtqg[E ia֘H<箻4h[ YAr*,T$'x3)b۟T}D\W`P*"Q&oWPbUَmuYwKD`}w* ymK~7X^m%.W.ƜGjr\jգN| GhR<](TTaFOX(N`![T!v~ @JЂ3CЖBІ:D'JъZͨF7юz )qA"(MJWҖ0K18ͩNwӞT4OJԢHiPMԦ:PT*ժZXjHPTԫZ XJVrա`-Zֶv M[J׺ k$E ,Nд2 i bحrLEBQͬfJzfGKZvvr]PҺv=~PZR ͭZekUխpkUbTMrj܉vЍ.R\$I)u>%-xKMz|Kͯ~"LN;'L [ΰ+!x GL(NW0gL8q9co@揃L]H䑓d,.P^ᓣLeNXem`ޗLph"7fpFL窽x^9πMhwܹЈơd,ѐ#MLҘfΥ3f<Ӡ>`GO4W SսP5g!Y ĵŵ^kW>vF3-Mj[ζn{MmG- vls6F^[҅-y߷80 nSgp^8^pb 8]~5q|A2gsgq??y3~7ҧ;=2s[u`_3~t#YwK[i7z~CEw>Pk>q|Nr|rOr[з)xwr>vwGݾ/ށ=Lw~8gC&|y򔓞a= Yt>j[CQݫl}Yl_talwEI/7Iׯ6iDXxhGi (ln |zl Mh1اfhf0|Vx * , Qxg|3sq7u0wu5>xqx7׃3{7z'QVuƧ{7{mvw|j:WgmtoȆUbL\vZG؅7Aq utu(|w8TȁEh=:ggGYW? #Hu؆8~e]zIyUԔ谇95 YHd =.ّyrT=.Y<4 M2)i#~Po3Xw`:ٓ< ?LAop)y` *`N0gS9pG(}Fy 0;=4@QidCI~w<{gppy,wu=< ;"?tMzizGЖhDŽ>sxpIw eؙ8ȉHHy 1Iv41㐙yoHv#w{iu| 1Ii1Puv\Yz(JxowɝI8IgYyWiYyUi yp/ -iyKɕs))0?HX| 3 :p6`X#Z')y05@i'J)gB 3pcɠ6p@Z4䤨/`V / A gPARz azH_@h,VjNlڦp0tZvzxuipjH+ :Zz Pj٧:*hꨉa'@zE$`Z oZp"zz#*`:* zZ + *ɪJ0 ZjJ JzJj@0{ڮ` kz˪z [@@ZK*:P; p( @ а,K@3[@ʲ<۳4JL۴NP۴`$@Z\۵^`ViZPK=AOEBPS/img/netmgr_adv_sec.gifHGIF87at4NL|ddf4Μ̚4ddfddfdfd4fdd24fd̚424, dihlp,tmxpH,Ȥrl:ШtJZlSzxL.E.zn| ~oW~C?PJsGDABAHpFx@EǻɚIƶp֭߳ݒҺb܋晏8}+C{#ZwΓN#MCXQ`J\2 R 2dHIo[ :%М$͞@ 3jIX[\Wg4z5Ǧ9B ecFqnvzH/^,.È_1FCL9ʘ3˽爸MӨS^ͺװc˞-aCmέ;/n Nȓ+_μy&@سkνË=:?;_ϾP`u&zhG} PF(Vhfv`߂p%@,{ԧDh8!!iH`r $@ L6d2&ATViTH@1 ydxO~1.1%p)c^ iJc*^3:8碌6Zc[^eQz#` Hi pf>2s­ϩު:뮼>VH>$klbZkr&U+rն횷"f䖋\I)C"BJ:[8Kj":mʺn[Ҧo++-1.r\(+ėŖ0 mClS9lB|=G1@-TCH2Nz. Ʈ3B3MHAnw3x'tG !#"ws,uՌ_Hj- ׈xQ Y ror Bc tύϣ:{7>xλ~!Ǜ<9{Њќ[Kt-g_`CO>?{`+F`6 DMuW=mou &ԅOmSr>%q[_Zx% ay@ h ְ,{ LGakDN GEUq&,(To!{!  `P4T.FO(BnqYd'|92 @ " đ}b ;yC=OD\Lhrφj($8s ` pЎVRhs `(FQޱJ/h3R.O @,ҋtliSV QqxQ>% 'qTjC8qFR0]@=?j~Z!;Ϯ$t_XJӤ49gUTo5>tui^hE oqJKeF@ f cY+%P@Y:EY T@hp;\-6H)vLP/[ۙN$DZ\_8@䞩`Xޒ4t+ <ʶ=m7㰌"P ƶ:1%'zsivLEp HN5]S`dgMv3MB&B;ѐשE[.@7Ny~~G_ ִW;:nS'FNĘe^+׏vu=g_ ̯iY4kbPJ}l)W}lao{sN_f#ukc{ع=vӛ~7mow-{ۻō[r#$P`;w5np;voȧm(7%]YZ?ጸ=EkZHFyg=I9'Cwye؇uWJ3YU5;Hq狒(E\U^u8ѕ"ThPWIE.`U卫UOHPdgKk8xxH#ԏ w(HG X4e#I(`ő").␝-<7z:.,omT/;o. i9&tIvOtR!VIXj=Tzdui`P,OC ݁zuGā6!Ffۮn͂I[.l*መd9ʐ&JEǚ00, K4(;2+:, $S ԃK*3ӌ#<˔W<[hA]6lNJPI%B `ZTSG@YȉԑV~U|+鬨ntoyaPɂt>2>ٶeS1"Q,}%0kD D6Wr+UG'񞒾CycP*fπyiS  /@E)Xr.ః|Aυڷ8L?;U^1-*1 ):ߕ:Jd7%_0aRؿ@PLWMtjHD"Ba&L! Vh(ե?Q"J?aN3|!4R~}DZL(94 (W( :נ8s` \43r9qq{Py,`ظxȍD&pSb-,:^31D5x&Fㄝe9pA: Θo仐.ϔ/%A:hєܡ `Y .ᬖMD5AFԙ0]}&) MݰݜԄ%6o`Q0t&l^[|7!x9ZBj 8j>tD+T(\zbjE8+aS-xs8m8l|B>T4 *yQ}"V_N1|eRUsJ`jR)T ,' 2S_ 0@O^N"KYuUͬEإRmڂZP,jPFȅ*lc2t*JµămcEQGr q\H7rµX^_כS)Y \cl}l`(n֒V$C޶.N{QqSLk;v6$^I3rAh%`ƒRu=Xc)N.4T;n2sÆ) F^s7 EA3; Jov;H臿EX#%My0cx7L4qQ&%]%p* [C,P+xSj`$cqvRqALgiubg45 QЃ fDSK,5'vd2P,0s/"n+%hRZ4baڊFobP=!z$)Ȕ2?gB d5i0S1RKXbФ.L8}!2CIsu{٣֧V3;ti0Tk2g43В4%,E/F V@[vϓt\@Oi4]SxU`{"fOc!&H۽펓I>UoP w'.ֈrZkJ|8 7 \E1+/A4D?(ܗaF=Au4.QΝQ/^2ifbMtM-׷}gC||r YDr{|N4t;ckWbFs(}hPr{bz26~CPՐ4&`!?Ga=`q؆yѧKЀPOC&F=s$:;Fd1cK@E|R|ցjARdLY(5d)l= dl/DaL / -)V3Or3VG4I2jHTFitjQMƧlW<8`>iXdUXB#~PKÆh'6G|sl=Ȉd1lYV_lfIl8(f?i'm#f8F: >Q=}?2kf7?Ѐgu; ~o!QƉj? 8ELPx5DQR M$ȌGDn&nYd,ЀO:Ey*tHkkĎ7 p!8~s*@PmĒMB8O 7(႓0?I(wArG4Ow˘')gIɃYGE9@S U}f9a?dYfyhjSP @r9t ts|ٗr}_GX[S|ck1]ALGz℟d:gQ;E^+-vo&}F6ҕR Hx(Tvecee|3>(Hg(48q߀zg׆I؛QxW9ɈXu^DH)cdM3`v 76O-p7zsPS7P<ԘwdjA|o(^@(!BQI ?&=XbHP'Y:aǍI~b~)~a _j(IMoh#o/vF=%R" Q:zG>(7)1äyyzGpq)PPՑ`+qB}9;+r8~*f^B{bu TAi U GjKeyrIVWD/qF8i8Q8]5ʨ(7kJH3$ zIHؙBDhoRKڤFLF6M8k$?تV"O6ykQOwIqpHj7"y$!yC )9f_֊xk,W.R: &j9 y {䠚@Ѱp@)Aa "QZX@.*.в0YxÀH%zaHbj ~" 7g´_59#x?#m8muր\J}ca'FF@t::~6~>>gp; =gd/хU4G&}d}&dh Yn+ %jf2Mz|֧9 b )kh֘W0i&J '9z[ 1j76H*UZB&ʮjm˻ɢ˾mE ۚ;pzooph]g}U~EJajxqۮ0%kX <[LVR)B@j7j3JP\GT|`S\XqY\>W`\aCcOL{/NS=φx$>SKH"L-#L-N39Z䥖f!;"KdV`5Ev tMw%vk._ڃ=6J> <|(= c.lKđZ*wqmkSO ,ωjKm2>1!țc]1TLG'ݴ&dTKYU+\wZ>N>%K<+0OM74>|sk&LWKq 7}^G./J_S:q^hNT8ʲ{=#=;o 9!L M—j 8UG/= uN3qKPe/Lc9Kb|g)7c/S ZM|49πz\7h)Y ')Y.,PE1l %Ɛ.ґ jp3U|pˇ;IMlr[KBR]<(xX!{_ɇT|Tp̊ŌU4j1bg\\,%rkRh)K\hPxlQʽB2jQ]Pd"_⑑\d Q|j_ rIPI%xǬ abYKxwSe5n$6LBЌ&n, jdGK|B| 7\S ;y@*=̧sudO5 >jlg9p6'J3ͨFBML$*:LJr %MIH;#sэ8 5] /${jnp-,6eq u$6t'ejӪZ>OFJb` k`Jֲ&fMZzÙpk@*׺+^׾F~ `Mb :ua,d'Kŭͬf7{r mT$+Қ/!-jWZͪb_+ږnw+oKBsMr:ЍtKJ*`Rzw+@xKwa*@9‘~} 6Ky 9D}Lm+̷0%6fJx%cRͰG| 71ދuyP0gLlxF!^%kL"f,,8ٸܒ(hHF7 Ae(h 7\lc(@x1d#7>^Ql8 @< |g?3!Xr6 QCy7[-f|0YYɝ~6| p pu06_ DgrcɟB QXu^!ң0_5'y,V R9І L]2+Lg<]UZsWP|?*>Ƭh<ٶ^•k`f#Ņ+(m09GZ"q-cEƸB`L&3y-.5g~m8wr簕9χf9їOHzh;Pߑ5{`NhOpNxϻ瞼fUO;񐏼'O[ϼ>ؼGOқOWֻ~hU>пϽw};?>;Џj_&={OOOϿW W|YW{ ؀8Xx؁ "8$X&x(*,؂.$x}ؗu-16x8:<؃>@B8DXFxHJL؄NPR8TXVxXZ\؅Px.'ub8-dxGgh0lp8&txEfx$|懀8A Oa <" -< 0Q ` q É.1 @ .x# yPGCM2Q1UEI_P-ψ -Q ЉH (xȍ=ˆ9ӎ0DA$\a.a TGgKJ(8 X/A `x/焋XI*$B @ M&-aR 13T'ēXВd8IJ9р 7i..G78h-a ^ [Ybf銳 /ᕅЉx 錝H،lY I`P 8 Ԁz9븋RI9" ď0R) 0BY.uBQ)Rę(ɚd-ďp Տ1 H~BTDXp渐eY  ͹ )(( ]Yٖو 򩉊8 銐#Y1(.1LR#EJN¸j)QI鉜ԋ)4A9m i *:عs-e|y9xY)H)X H )ʋA7iXIⴥ0Y$jG-A (Pc9dn* pZf0j 3jtډn liɕ(4ɑ퉍GY ɗɨ O h6HN.ՙIIIIejiʫKUڡszlâ}:yͺhY]ɘm鐩 ڮZ ˰PzǎR9TI#d d0j H:tI$  *i ѹ([eiZ *I3[Xy~טri Ǡ8):83TpjB `7IVRM=BC]ԄQFԩJfNeR]]^0!? G20!d^ DZ.]tP!<"\3hmUaAs-;aK48}-]j r={ #Lq/!^Ղ00A8a]0՘1aMJAp=ٸƉeڣmQw-Qܠ}m Mӝ-]zh0ڙ }Hڴu TAEom߿m7mӭ2Q}Nߡ n>=f0l@mA.g]AY=]g"ml]o2>n $+d](bLNǽ\A>ZMl-֙`+vM3G^oR^'F @>Nf%P"^b~h^^n-hvn9`e%kNscn/}~ؠ^MN╾0.8␾舾.過{B{娾߾>`䬮L.Ͻg V_m>Վٰz~j>l[.̾춎?N0.n<.!bvfc@- d,e^ϝ\'??>Algi0c<ۛ U Io+F_M__ Ye%6?4.^`CNg_]"[`M&\=o:q_'X}=*dCւo8__6oН՚"xO@Oq>-$a?I_f?WXne?_OSoů=oO/myP;> gϝLW6ҜZ{7Ƨz3JԢضVBZ*佉M{hݬ)wŃsEhuZY6V\m]3~ycoKZkˋWvuDHUb񺫃o:5xG+<ig{c?2h @ H`SЌ&鼟$ l8#CJ49 bB%,4DKljPT qobyCiIhq 嚲Hrq|L(D O H5u:.= DH=ts'[)4tCMQ۔B)3$ }6ɬRG ɖ T83o 5F۬Cԫ6,a?62ݳQUJU<-Q=ѡیv}zNbaԙOPRZ~5WߘSWס^F>fI8Hc>ɢ=hڒFpH a" Ljp37AfX 0 ܠ'O]z/>:j0*=|SȬi D |t7sJW|!ƑԵ-2Wla.]Wԧ'[vNjGt>tWwTw8~ީ_ǩɧB@t qônC۷> ЁmJp:8w[G7w=wصk9Gc_';څP,PiXp(5iԜ:T(9hWEK/CPy捜]!q>M+y:UHw(h1fP%kκw4(Un!qR`Au @OquN!.l(DQůuA㓼;k1eKօHΗ4p,hW70}ksMbʛH>9k鸜3$ոӾ LY!߰9!2"aPXqڡ*9X y aqAtqؠ2`"8%ܼlaBўgKBQ4|[ q5:A% 9C0kڰ1''r12yr-$Mx.YA1E S'*"&B'R3,1(>i"v*zJD6:&H'>S\#U:[#J3S#hWzi2D#HL^CĨD$Š:i|)l *mԯ0od-nrCk+uG"?s,"ͺGsCGҪtǴ"GȒ2ȁ+<0Lj̊ȋȌǍȏɐɦȑ4ɓDɔTI(ɕtɗɘƖɚɛIɜɞɟʡ$ʢTITʥdʦtʧJ$)4ʪʫ ʮʯ˰˱JT˵d ˸˹J J˶˽K LdˊTŔ ̯Ԁ dd,(ɌL͹T Ld| ,MҤMфͰHM$NMٴФ\ 0,$* Ͱ,NNRM4DϑNqN KOlO|NN%K 0LUN MP(\ Ъ $PMݔ ͯt uML pѤѸdQ #EҢTO! R80$*I,-./H,O+53=I0`6u789=2EA%TBEDCUFuTdGIHKTsLNMPK;SETUUeVuWXYZ[\]^_`a%b5cEdUeMUgWuVhjV U})Seopq%r5sEtUueWvJ' KlwzJyUm5)n-~v؀؁%؂5؃E؄U`}K{JdՆuXX\WVׅ؎؏ِّ%eˉ%XՓEY{-|P<}"X-ٜٛٝٞY^uđPLU ZږˣՋٍ٪ګڬڭ5Vdί\E_ȏrm#F$V―QmTmb'vR(bia߃8]./cbQ%Uc*2bbb 89U]RW(};fR4Q=Y7F:6CFEfd1mUFH0M] DMd]S:e9EXP6S>Qd}LWXepY\]Z[`a&fZebVeff]>fHfif:~懈jmfQp@Pr6g"sVutfwgrxzƴ6|}fy&hFN~ p臆舖艦芶&6FVfv闆阖陦io@M&Fj5fj?^ꦆj{}jfen.ت\e^av`תjX[e~`_VVhIkX[d_^.V'knWZƮcǶ^]V&aC@BX8EdVnUBZeB0WBmCUWUۆU͖mNW%v~m\]mFUmֶUގm[Vn^NaenN>U>XjnXUVm.oX5͖.l>l>6\v.cVH mV,nYMnƄUmBXpnJ d _UFvVYNoNwSEqn/ &U$U'UqWFqa pUq U)/r*OUvm%(gU6UN`|pVrYE'r6s^MJ3T o Or5q'W+/90TeSs^Ow; 7/tG/pHUVoU5rYESU+JCUu:_VQuYE+YOUWnluYen=IPJmVnAv٦>uVvm@tBArmvmoT5TEqoֶw.Ӗyq[|7BqoԶmrtuGxC6xygLowpU]SՅown%_yrGEw#'rIx_gTGvx_sxmgpvGwvVzDwnzon~B0yUzc/t"?FK{>W{B?knyk Oxmw>Y?StkApӆ￿z˧UX־|Oyzn߮EpԯBG|hqNOOo'Wrї2?~dG~|mw}wT}'?~ԮO|~ IWwDt.m`GJ$@AZP!D 1thbĂ.$`BJ4cÌ%L YH!|GB( sfJ2)T5ohhʞ: & 9 HHA7,YYZ )&޼z/.<ЕdPEh,.>+gd Ӵ<+Nkd֥dOÍmUφjٵDysTr2ςQ|4H?$ζ5˓frA}Zg d6{xgڠF׸ś4Y=xQz^`t| X[5t^HESB YZk bF$e$DWPG^wv#9#=ZIxbwlEeC'@QEPV"X6w/Q2RnM&U+Xwi!}lDD,Q[ʡ՟4ycQdD^GU{7ڛPV%n_n7瀋PYn>6Ad)iOrړ4Đ-⢢tSYR"+ծ)* ue ^ud;.ꥠ f^%zQ&gUGSgH%HS>Qm^cm*ޫxqH" i Ytewyr8flr뱾27Hnvo`q)qH~V9Q,SOP4%{4ɏU ۵h.i_ƫ{mdV5\h˷F]$2-is`}| 0 irhgV)JbrܖW R\\)59m~hNƢB? *啋͚9cmjOx[BPU݀jƻh[7L2kQ(_>C>֐r`!;ZX< ٦2p\3Ue\bBD#ݑ,rk9Ij<3K#RMrgIwBVz$ MF#@u/s!sFhɱa#[<'7;d Rxxr:H%T\!N|)z6I58A Q|a#EP㞐- ~ˊ` e4(Q2%Pi,]<$+Wsb@J"˒b`(q)a3|*mYe.P%3h.sl㥆|!`f2u)JdҚ<'ٗ9 4;[ ϴaBڼ7}k$?u T-(izb(j[!щR(F3эr(HC*ґ&=)JSҕ.})Lc*әҴ6)NG4Qa *ԡF=*Rԥ2N}*T*թR*Vե^u^*Xúծf=PɊֵujm+QӞ: +^׽{_+=,b2c#+,f3Zvf; ђ-me m-lc+J-_m򖰺-p#װ\yZ7-.t+ݾ>wuZrW.p\/xӫ^算m/|v-}kK^w/<cN+MԖb)PA P6+Cw$vOWj] |=h*XUc8=d!Džʻî J` Gnj`A(A"(3a8mGrh4ÝSLp4ky^gul iXJƧa1'GY hTabwD$a*z3 U@¬Ip[G׍,u-U5@t `fV bflp3, |e ܁w@B Z\yկs^mm9^v/OA5m껊 '9kնǼp+[ma=zK~r*Ϯ_X$W?5l ;xxB /I PSʜp.@s ,fֵnuTA9/k-;ϵStz E vP/x OxNṜCSGޅW7΃'/|쟯5)ș^/e~du? kaU)~}cAf?g_Y.󽻿}SfAtAY֟Ͼ_N}Y8AAٟڛ_)I`Qџ<")mY5`ur`e)]_c`e6F{ aWaHAA$ [`l!^}!ߑ!^m" ^auU!^Y !p^.bY#!j"ž!_u #NQ 62+ub").- 4<ԁ$U: ߚMc=y6Ra^7Y c՝!%a_Y$#9?&"qY~@<::ͣ"> b DUeR^oXu\رfvsYA: '5`1'yd_`{&+"X{2&Lb @ ؊ Յ 8 P":B(!9]RbL7`G7 (B@>فFyN`Rhy݆v~()=Σ.^?R](wS>cw9((袑(_vbXzUJrW~m`\/k!V]XZeNE\o)iuUZ)s=*ea^)vi2&YL*e&t5jb:vQa,&j-Z*jjbNש*jªkѪ̭j6!*+Rc\-%1>+FN+V^an볂)~++zF+놰kgk+֫++kk"RHTȫ>,F*Ă+V,nf,n,jl뺆Ǟ,ʊlʚɮn~lƬά^,&BҬlО,"--,s9+hĘ0A*-fj2-~m׊,6ޤ@(Ē-ݾ-Wߖ:mΕ d`tɭ&)tARxx|RP]nz`r-Oy.kCn4R !_GrAD#9/LbTq(;//+H24sJ{ tE3qK\y72Tg4FPss)0jsI3 oVwɚ8t:Ӵ4N7 /ѤMk +4 bW5IcT+EdkbrCuFt\߫\2_So3 V'vU5c/BO6#o6~,$ϴKKlߵ\`m_4OsdJ=3n5T..W);O*/rUKJwڷd_䝁Xײ;sCh;EBX[#W2m9nv@2kNTϕ;kn 0<nK;x6wx-y;ltʹ߹ z_#&,9+?/o:w:(ɹ⪩騞zb=Ζ::dYjl1}2j;:Gڱi/{:nI{RC{7b[{{;caI*#z?f-';e ||<.j&{a5Y*.e^YZT"2oy'QV[iQc~|}<{7T =<=Ni Uk*ŷ = Ӡj~oǍkKjꉑ۵zi}>+)1@3%}+rO+ ^Y>X|{%>~J6?`~rcZh*ɽ.]{Wj#]?]$^Ey>"jg葞~^뽇1>|<O?oO~Oau2$<` h!9_;hn"{7"g"]"@$LX0 ?Ҁ@d0 ohC5>ЁE/9fM7qTHB#Cz:hјF&ٳϠJ"M>Vjs*ѫMJ 0lYͦ%g %H6h1w:eVl"U aE ǐ/„' \J{@fɃ '\YhȣV]u*K2,d!IۘA4ڸ_NhΧV>ǐaGVzϟVOM] w=EUVY4Q;Y(=2F!K 24(2{BoM!BL@&DdR@h#Bxa|P!\%@(Z;Q53R" &ǃ9KRz2; .b% TXA.R+1!ZP8ðN|C7(|hN00 /p$VrquL&Iɷ=]гC_j!8GF?l '1)E:+[݊Xx֡f[o],|\L,#bJM^# 4FZjX6$\L{3([ \k@*(} OvZP$]W-PFԄa2ߚX+'FVH!RST`a\`L\'!#GSSPҿ3!#iP1j.h>E!QnUn!0f n~0Go{1NKX{F&,߲`\e(yq[~yRP!pGEGU#&U_}+]Z7u^E]u'=~cޅvaeb"ry(R{\]|ɿ=g/H;}+@. t!A N1A nAB%4 QB-t 9h!2 qC= 8]D%&KtyD(NbZٰYF1Ћc4XxF5Q-idsF8αrcX.ґ}# G$R"! GD&R< uEG2|%8ILnҊL&= EP0k$CJUp<+aXαb-wXC/ ` $4`"lm')b2ArhR UGDv^t,mKJΔXDT@O{ 9Ӄ*4Ӳh ?ڥS IjZC3$PzTs,DDu,CQêU2]fV%qyb“e=9@ thS"QbZֲ0V%c;JPnUmd*V,]+d۳YՌN%kZC6c-m՗==S kQ} A#=hFn,O8܌!. :P@w,ߝh;VR7`b;V >c/gyV7vV dal|*]&5gUҶ@a$}dP.),,!gO TP\zt F`٬^7TX*oC.A!X#<f3c'/y2jW'ap8*_3 岖4#M|`n\%ORTXxpt$=GL>x`,SrYx:@|TPd.=걜җ*z,2Ue>y:u {eVڣjm[:5Sy$:6k 5v.ʗiA>]ae .C F/|7%5GMdvT%m]4dv[d z[؁ju̐xPz^m)hÂd r2{/éCl5M{LǻnQ5${B/uet';F?)>kQ:q~x$l/; WǢX/N?Mjf"^I{96ߍҼk"-i} g1 *2vپtǒ?1yg1?8t ` 7_ԍ+64mb`YUžd/{?5/=+̽|> f4E_MLg{HFaxv;eS uЋՂ0#*JjrT  )NB p꭯fIRXP andpnꗂi*}0|~0𖊰n   p襮 qᤰ QI ư Ui _ t HpO`1q!1%q)-фp-H8Vt>SG_Gq~Pf6YDBs^GO[xRrVy[1{RxQ*pgqyG͇c"HqWSQe(.'s6sQ~dɑ0f~kY'  !G!G1e YQ2 h^hbi2BzT#tp"z0#@ !H\rSjn@#m#f&\QRs2cv'QG'DZܱWFZNR'Daf#M7 2H 2'B1FF^B'Zb`8,g{xR(E-*|rv|">D^r(oʲI ^% `1+S_ )!p)t8-32*D.Ru"\lkG@E#`?`C% 6,`|kv%>`6G1 61b#x6 _bdmX$~37l; ,:8ͲzBDDDr@6 8%%6f;;P<ųC%Un3GFC>otAi5wX3Cn##bm$o\wowW1ow{5UOykbV4LH1Gs8Gov|Ֆ{f{!7]QwėRt#XE||Ń~Qw'tRtޗRR;z7!4u~8!qKтSrDwAx9>xxY]a8eximW!qy}T8888xxɸxٸa*8xxฎ8xhq9y y)- `9;EyIMQ/V V_\<9=Ryy}9+2@947Ȗm Qy#$`9`H=ٙ=9yٹgbE&깞aB.iBDBٝ :&9!"!@!&D*: :WxIMQ:629#f@V%Z!4BcZ#z홧cz= %ZZa" @a:{::::zZf:-&"yEzڬ&Z:C:!;%[:-%Z*zz1 @hbzۺr&]a;-`/%D;9fE[agzh`i'E1;i[};{aZ @;{h(Mۧ [a*@۫uڪ&{9 <|%`G%<:ͻ=M[9 H=YuAa<ƫYSmVp\ weȍK|əɝɛʭʱʥɹ[\|< <|ټ"|\mYÿܱ=aܙY=my=%}ړ (}9I}=Mԃ9ԋQ] 9imu}yS8}=؅}x։ؑ=ٛؕٝ١}کkOڭ=۵}ۣ ۹=Ž}ٽݟH=} =uX=~ ݔ`}᫹= %~=)1->9x=>E~A~M䫸Q~YUa>wem 98u~y}>~艾>~陾>~ꩾ>~빾;PKuGWVPK=AOEBPS/img/ols_dlabel.gifOGIF87af3f3frrԛrԛrrԛrԛrԺrrrrrrfwf񼏙2wԼůխ2Ÿw222fŸwfwf2ffwfůwŸwŸrrrrrԺrrrrrrrrrԛrذ,ʧHÇ#Jp!2X!, Z#HdI- E~"BH͛*A2cZΌ)'Œ%si,JUg:ȸQ5WbeIe)WʝK7NgQ@2?7O+fC0aVp3Fub+#UYfB,jYT^ͺ΋[D\5.3MJU=R&Y#+oML-y9yFko*rO6@|ǛQNNeH XzMw݁&NvAV=ŦbPAH^Gք_Ey{ d+ ϙQKE\$X\qK60F)Ra8L^!GA5+mؗ7ca*lzx{mi$x'.YFm9Gf&jјW&*gB巤[٨>,ZcP){f@ z*i)"OQHa~J=`Rlkإe ;WU&+qyTbӳeQjPbUEu&lk/Uޫo,<lS 7G,Wlgw ,$l(,r',43@8笳;Ϻ D,tH'ݯNP c@Q2uկ\ַpش P6ٶ]۳\ aS5324l7.´x֋R*k7/8usNxeܢX9,ǍxA`xw(մ"x8ؾ5GyKʫqQ́3[_G6rZ@vR|TvO0S 5Ol0~}?TAr h   ؽTxpBs~s`FNX7u!l* CTp؟ D @χ Hx.NoZcت0qmt`@ qxC"/U<: 7"r~2H9TWLX'h5Б]_*8; $H5pe*y@4.k2†d<6V{@d7ao՜)LjZд$&9=&^,7 "$1NEӝ%5 x̦Pqlg4:3B6sJj=cC M<(C΂JU& <"U>{diC_:͊J@,Tu4$(7OQi`h& vku@P (q_=W1ӗvNkhH g\fB:uG%JҼ+M[ipbOcYҼs6*͇}귇NP*X66EfJcr"L-l5c=5[N!QlLuvYef|,~n2qokUvnɜ峚2w-lB0Yاid68wViTTڈ1՛w+8 =渆_=nƚ7]TN* =j԰AFizo~h=kġMTtFcozBqzF׸]=Ze\lWkjXIwiSs=<ۅ|vbW['6PoUM:E[VDq;)+` 8yU=5htۅKiFYru [h,q14bT*D37~զ s2ɏm3qh!%r8NWC[DgG|>tƕg~tIWo66FJhK@#' DtY}ۗGK'^ev5E{%G~^C$}{FKfqp4]>t#= >A=VhNh 8!@S.Yd]70V`z6rh0h S9OhʐX;e96ƊьZ a Hyfnezr*^YEW{SzE'z9sYWBڨvlzy;DU%JruBJZ:7{pfw_ o5׬%GH7|vxn󚆇}YxMڱ0yWj\PzPYwxBT#6~|WU*WL*Wȳ'XB<;HE}A~JX IEhy5^kWw"e+iǤC|<[[CBdzv[IM 9Y)KKˣ;J7q )Mk}S9˭3ybu8%z/K m#kTȺ4* h ;{ۼһ;{Pػ ۽U[{껾˾;+{kث+<\| <+݋k K+kk ,1l('#a<@\h^U#ą8[z8 zGEQ?S\ @Ļ՗Hb c OcDXE]ExZ LPg{\4fX/#q=TŪǖFeR'5sU] >\fL4 h FA= +rjs;[Np <4ܽ N`Gj-pa: \o,sQܻlk;,w**˫6iJ+R§whHI\Swɲ,U Q#Bt{5JGjkkNk 䬑^HDW¾ mѮ`Ҧ;(ͽ02M3 7>@B=*}HJLCP=;#-+`. .1D0bMָ`ޱ ^}h(-bM Ct o- hֵy \׳-| }aTRF@am&),^m1C[ 0 *mO.TaEރk] n W~RN۝݆e^~N7~(>M=N<> ~>+zxn KW#+ٛՃܻ~!m6^G>\Q`F2q$$k% тܣa) Qn 1.X:~K^~P+[ӏH>+k .]@ K!#`*NKV8vI^+?08<:8 5xV 3I߉K5׸0{Bͤ|') YNx0_!ϼb?՜qm%Oh< "uo6?lf`5fXg< = w/ vT kǩغAO /o΃h^H3 OToز jVG$X ů ?;MT9z&L_ǟ / O50 88@ XHXP0)9IYiy *:JZjzz) Jʉk{ <L\l :Y[{ =M]ml݊-ɼ )^n../?O_on}0 i <0… _l1ĉ+Zƍ;z0#ȑ$K<,[| Ș4kڼʜ<{ ̠D=ѓҥL:} 5ԩTZ5֭\z 6رd˚=6ڵl;PK@TOPK=AOEBPS/img/ols_hr_added.gif5GIF87a޵c1Z!Rksckﭽ祵ޥR{祽ZkΜ!!Δ֜)!!!JJB991ޥRR{{s999ƭs1cέcƭ{έ֭ksJ99ccBJR)νcތs{{Zֽ9BΌkBJ!s{ZsksR{{{Zޥքkֵέƭ,˱'*\ȎÇ#J ŋ3j܈"Ǐ CY(S\2-$cʜIӡ1rɳOgԂYѣHߍSd"իXS#VJٳ8-O=ĘEݻxҔ-ܝsI ݱy+^<3 s[f̹X@v2ȗ7\װR,mMY˪f%d4n[_μ6*}^g;ν1)J5^ZpS{_Ͼ'P6u}MwϿ&Mx%OF8~% wI7X Vh!sD]^(∮a()1Pڑ(w D8</ȊDiH&L6PF)TViXf\v`)di"lp)tix|矀i²S&)(BhVj^)v駠*ꨤ Mx|)Nzzk+ۡM-gT;)':9;lW$NvMʱNm'X:'9 .On.koBnSjIWHOݷ\9<|= ܰWW^=1`ĭE[1+$o(_}lNmW/m]f<,< {H'ң̊=9ơvYfHrVwOXk-~'i=6S؏\smwX3| ӫ@ShS/v9[Vח)oqm/VEc^ܢߨzꀫ"NI6u=yko6eet;:;C yn.w߱՛_sio6هº*/xuЎax@u/k8AʍkcS@ d<u e|Njxymx{0ÜA;WP" >Yedؓl8L/1ܣ}৶sjOnݚE) @O(dHEU#IJr,Ty =IH''s|r)-VjrJ8'!0-qIo2' /]IbJr Lz͌4o4hNf3mzs487dVQ7:S\zgOl~ʓ (M MB*H/D'JъZͨF7юz HGJ҈(MJdj)LUJł  N:ӞJ2PڤUL5mJqzԦ:N)TSR)*V!T[ X$ձ5L`=ZV*u_m\:PJ+^j$J_;W~=\׷jR3YZ,^YrMEr`L*ʀ3l}ZjdXm6Tm\'5L2pPZ3x푞[\(qwM.nM$/ -*@1nw,zg161r_.68nx[68Ifr,X \ۢHRm}X0n0xI=qzjS c ^fl`ȓ%g:I-|c^p,c'S.ma& őt00x8~S [* +iM#h"頴4rfɪu|춹m v'{ZI}Eg7< fGAc W/]$H4`_7}k][i¢oklZլsdmYDԃWeNTW6sT YFjv57[EmkjsKy&ҰghnV;ܠU-@ 4m~Do[[BZtoPґUsK ](>sq:ғt{9`qicymu"D4}(.mkc{NO.ik^T<lv@t]M5y0G3H5iX%[]Վ飷F^rm|osܜ.Q['Ml.uS}ܼO_z'x߫>>rWi:?o#q_o`~ߕ۫˿'I%~5i'{7"Gxb&~ W1SvyzV$hVhby7`~Y$)8 8-ց+Fh:]Mf?vxGtwE҂X&0Ed?@dI8`oCYyƒIkz_H+zWsWh&\wdx64`%j~IWfzxzTtm7}V8gz[sXw8F2q_io7_c8b8|ϧZec>'h~h$1^UU`lw[wlqg#'fy׆uf=PnBUfVZUjiy<\UZXp9wKȄ8Vq٨̘Ѩ6`pCgrW$chxX}t扖\5|uSj5x؊pUKfkS[iZ8[,fHdy˶ngCgxwt([u8l&V9Yp1`&h}Ib' *YY G$.91{yx$X$%Dٓ(@)FE9uw+N)l%KNJ[&Exy%GY|R~)&%R"UJ,91<0\ڥA-GSaPb>H4* pMQ  ^q(ZZW2  UBO-(0 `[}|"E<+3^MJ+)@`ʩ«8wdNq'(*P pڥ^zꫝj;QZd8jPQ:$P&zW*e%Bd*g @!  ;J* PKN=گ?Ѧ P|**;N-+N>Z;?1 0U갷+/kL1@+6 =@K?+CE[LG+FgF+K+$j(X-[KLkJmk6'k"t[i+*oJykI{ (c;wD;L `J۷b~2ʸ~yKX' *D#!A󰴞 `a Р+ { yp@``@ʋ kߋ + %P` ۽e!dAPp:K 2@t[pP , !.4=3@P:B! pPJt| 97;l?(KK: [*=q-?zd8a+.Dnڦ NtO^ڧ)gj030{YnrM\L_ܰ(Jy9~dު:]PȮze^P^Q^nWY^|KazNn-^T=v/}ӌ<+^{JLڭ"DXu^K~X*۵r^;A&볁>M.쾞DnN?ߗ^:ldNJ)~_ R+N.^O]q4Ffx #Zlͫ@&B'sK"?v ϞN')?s"~jB']FH%گ0۴K1a$ 3! !j/\ d/"oqsf/ }ٻhٲ 盾+Q {Rjc&Ƹ ЖȮ oEq,{ ?,\qó<Դ&-П-\ ף=Ž=$n[^`<=˴|nԿs3ďY F.(=gˈI0V1\5"O/p@Xhh(P8x8@h)Hyhy *:Hzp {JJ[k{+j:++[l|L|{i0A!!M`)HX9yn+=Klko )/L_0U?uk`1>Z4oHM 80Z($+8U4Xș;4ِ  `p]E}Uoq[{pl½. lݴپ}33~E %|ѧ[n]:vז7˛=}[o}'u~_W][b 765}uuR`b"Hb&b*b.c2Hc6ވc:c>dB(FdJ.IqL> eRNT^eZn\~ fbidfj~in g G)gvމYtg~ΞJh^K.h> iNJi^ini~ jJjꦁ;PK[PK=AOEBPS/img/ols_apply.gif(GIF87apذ㴌ܥ[$W㩖!UnpnnnΌfnfΖմnnnffn3f\`nf3f󖴩fi̘$$ɗnҞ*'" ȗnfMJB?85!!&#ܦUQC?)&մnnnnf㩩ÖW|Ω{{s==9ʥff2«2fʰةf2ذح2fذ2ʭһf2ح2flrJ9?afFNT/̾aۏvy|]ѻe?EϊmDJ$otx\vйotSzy[}ߥڳӅi͸ѵϸz\ߠĩκ,pH*\ȰÇ#JHŋ3jȱǏ CIɓ\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧBJիXjʵׯ`*ٳhӪ]˶۷TKݻx V.߿ La~+^̸ǐ&L˘33ϠCF `ӨSFyװc˞z۸sFZ{-3OμyCNүkν<ӷE˟O߽OߟW(hXbK.Vh OE DK-ha!4ł@'@̲S0#zrYFZ ,;P*&dW")4jIdJQi&zRe_&YieBx)Yn&کz&l|)AeX睋fo(rh2 jlt2Y:蠰'뮣aɌYdZR:jI6ePrVb%>= $+rk)#!eȽo$`\ 7G|"9 gw ,$l(,0,4l8<|/ DmH'L7PG-TWmuLW5dMef_-tmxY 4xՍ/.WnS7NW8 ӡ8zV.OM8)ӽ{?WO7nSgAZ`ZoȞ_> je~Zoo5QO`˞P W(} މ(:R,zM7)pX4ZP{^VVȊRCbE:< ]@YKNk&:PgBB:\ 1+VX E5}2L#%(*P@dbQ1|d>.m2be>"!^|a:FpNm");jђHRdL E] >;VF %89I!&%)rT_YD4I&&@xH]TԚ5\<'"Z@8C:vA>]%l7C[}b'5i[!Ubia2|M(uȡ HGZ$b/si,)k)UTdmGS&јYc Ҙ ~%ZPLڒlFiֺ nUZ*WUhݟfyki [W͕xu]״UY]H{#tX)"cثM6,`_ mDҊ65jWZЎV@kQVUg06b(PoK\ 7aMrk\ uXpoK3QKjzv3Mz|Kͯ~ L8f=ݖ ]L+ΰ7sckɃ=x>1S0f9☌88qX@< b 3eN~LYGZ\.+8^.L2v,4Rh6p>ֆ7ǯG&RfemOo"A qtǐM25¼洪\cyԿV4 ꏱ)6aks6jO_w˂m;w=Dq(2ukurMl:'m{3q9kxsPrY6Dmrwؽ#\ Ϙ?N%z;6A,9f;:)pm#ўe h=CC/y o=s-볋tmK9Wxas u2Wy;s#8=x[CW;)xg}zrIJ l]ک6݅w;w|wWk'fw<׋8b&gfQ膩BghW`G؆wGh^XT؍%8;8pCwnhHn1f(hɈN׌"{獪ؑ'Hnvf}vNxqW{ǐ=cl-h7HJȄȏYJ9Kq {hܘ~fyp.If)J؎xUɑHqy{1k5yh,vun&kDhs3蘄ggmgs6{*issmvYek|9m)qhvh;z7vwyniǚh 恪foxYjYfjHfkhfy'FYyؙٝ9Yy虞iɕ'&vYyٟ:Zp 2ҩ9F;GZ4j7VӡQD"zbs"(9*D14z!3:Uj;5z97A=@* ?j;9*5C.GG5Pâ6V#ppp"NʤO\`4Pz1& _@MP< %2aʡDu ^xʡEz! PcUF7 0b  0 p Z'` *:#@%4ꨫ:@#j"J Gb*" !j!ʚ%9e4%bZ>-Yj:J: ڪdjڮjzڪ]!0  :Z"z{+k[ z![r_ a`Op?.!J Ъ:*!":%{kWӳµD G˺{f˱¬[i u|T0VpX@/Ye˵ !ƚ[ЯMKa^[JӹkaKk۩Qʩ ]l+ p znU *+s^b6ᒭU" PR0/ ; ˾ZX۬a+!B P ll{ kekLK&Ll \J֋٫EPGIK1 k _ۨ[ K@B01 FҪQ{Ÿl @{n㵰ʩfl* "<̵zU̪$P}l&̾˜[sl`6ȋ8l z83@;N:o|̺ʥ:֥nVW Fw\ 0b_* q<ppKĶz,B.ތQZ" -@B,3@ Jz˿{Ҽʰ i = [pܱ  p-LWmZ&\0*mt6i %0p*m}W+*;%X$^1&*(.0>42^8lq:>B>fD~H(LNPR>T^V~X;PK_ (PK=AOEBPS/img/ols_new_policy.gifK=GIF87alsc1cscƭ11cslsƭ1c֭scsccs1֜ckƜ֜cZscckƽscc1޵筜c1ckZcޥR{!RkƽckΌ眭ƽޭ1ֽc1ck1ckkΔkֵcRcΌ1kckkccέkkΔ!!ﭭƔ֜)!!!ΌkkcJJB991޵ޥRRޭkޥkckkkc֭{{s999ƥcޭ11cΥ{ksJ99ccBJR)εcs{Z9BkBJ!֜s֜ssssssֵs{ZssssJcs֔sssスsΜƭsֽssֽsssssֽsƄJƵƜJZkZc{JcZ{kZk{JZJ{ZccJZck{cƄޔBsR{9ks1cc,lH*\ȰÇ#JHŋ3jȱǏ Iɓ(S\ɲ˗0cʜI͛8sɳϟ@(ѣH*]ʴӧP}JիXjԮ`ÊKٰ_Ϫ]˶۷gKݻx_˷߿ LÈY&i04x 1 h&Pe&niYi?uװc\<ҵKɗ]&yE?ͲoW~m\ʪM@1ug;㣫_{zЦ9ldɛ| _Ii&jEt}`~Ziզk*pkiqɱW^In}șI78R`r fhާ$yWy pde#~)#dɔEcov`oU8get@e= ZpAgfFYan dF 擟IgEAIIUޓ[B({%XyUvcEnuc %>kszcI4Ʒj/dgҚ; (zقu#!U-pfd*zi8\םylWsuk* 9.$xpkc H˚Tph% i|5?'>&0|Zq\'t?OVٜY~uhVXAm9}r,5ێqv1vX`#벶%g^l[li@6> I!#۔w(g$V|9NRt ӭ(T녪^j'|G/Wogw/o觯##~ׯkHL`Y:0+ |'̠ؔ7z ׿(L Wp|> xw@Ġ/cPP{xA#IB^!=IT1{RLwE="hL!GTID(B/_$#1RO!¨HLF:T#}(>=ϓϻYF?`T(X=$RgD&)ZBgA殙c#$(iLfyȜ('MpqGIKdwb)Q?iFfjƝԧ#Y袕&"j (;+$Њ i &eI| 2{,c60fѦL IJm )#JdQP T25\|7o68TEծz{pLR.gL35[*fB> fnw=ȩWFo|k^EXlWjԬ$QZYOVEyQ )%LQON8j\YRJeLKbv$,c ݙϲunU\Mz!Q.XuTníeMON:,j7ؕ[6"]t `l4 n71kFґҗv#*Q&9y"TT^[7+tNCO/|IRNRTDLH(t/ WfU'{p^?nFpṊv;~x*8oycAx$='Dұ] @<@8"ˡr{6z7x<,F;AG]"ɗs='w7z=kp ?u&]O>s%G7qAr36\=Q[`)^8ZU}s'yr|p !~G1 ?n90S/z;g#|?9}/vDp=?W;1AC>lⳇ;jsAUFu{7t~'y;w/gwuC%s{ dwF=froXt#8~)xpׂ,pH>p@(*؂;E<(xppBoI @tǃx3+xF^ r(Og=tXHt3Gqhxw`vqpY(y؇g 5 wdq8t<Qy!$q#"; i4qs "!IJ4i2$=7,nQ!U2":{:z0q!9.;fQR4>9P('/;h7+’\513<$Z!-$Kh5B.0+B+&r _"#C;S1:#v#B#?[?T[PafЪl2h۶pot[٪x{V[|}1;d!{]aX! 0  8A X>AEq [K3:2-[bA#X 1  PRKk/ūۼʛ[k+7둭KK 勽{۽1!޻ [&K `x% [ `xѻSP k |KlU ! Kİ-7l # 6,[ ,$0 >\*\Al3a}lыɤa̹쾏K|Ǡ쾚, )̋ʬ"K lœ\ <\F˒ˌ@;Xˠ<L L<ö lQѬyμl aK,x<Ν͡|/hė %X Єֽ)1;& %ѳK̷ũ,•[ҳ@),ƫKѶ̺k'{}l +бo<7=F9 Lm)H@-? <]1ߌ < ΞS L g}a jn ll=\w˹hu y,|1ׇ ҐӖ-|=ؽtљ {/\%Q`]ԼĄM ǰ=$ْ]ۦb΢|uMh؝ظp T}4]+ RL0{=;}Qm5Soy B-ڝ;׭MKʯ*ݑ}-^}ԋ ۲1yʘX Հ֌ͪϭ\ ΍Z}#\@=0 ٜC)* qK*am+A PR?S?HLY 6`b?b */[okodr sT# 0O3 wKa}KC 0b @?H;ޏ_MO r` o64p2Bq!P Ow<– Hƭw/20_bpQ 5 kќ̍-.1paC pPL>QD-^ĘQF v-a@V$,U zr%D K_RY`f͛97b UTU^*j_ &jPW0 EVGaJ\)LShF+^$[@Q]$AYdɏ'uX5hTٖ45Kt߅J~bҡ2jōGϞvՍ.6b*9_t]{F'Rwҡ?_~YjP3UD/AȰ#N;H*,){HSmn"( 3JNAODć>P%@?aVP*ktKUıG!T{HJIG%5qɉB1H'!)I)%3#]4ESӡ&l 3̤M7߄3N95 E*ǴD4S=kDA%PC ݤO'TFUpOH'QJ$SM7SO?5TQG%TSOE5UUWRW7UYgVWc5W]wF\{6XamWbE6Ye'2vYgfZkZml7\qIv\sE4e]w*]y57^zZ{_d7`ux``fXM!R !b/~h-c4=E>dWFe[e;yScyfhhFz褋^hᆧG:kֺkQkV+lF{*fmv;n\wnﶱnV<p 7<Wq|w$QD`!շBp[\ORl))**IF_*bȊLXExb}X! .ЉZi!L(B)C:IA!d>@NF(P$9t#cњH22#f0D) 5|¶G %JHH,cb'51+xZ<9,9hrt.(e(Ey Q De*s=%.s\p/ڒ5D,< TB [ee6,6Gr(|<$l)O w,J4Iݦ6gA+ZhQm'UY~=sN_nUnu;q] o9O|3x[^HiWQ ':De /}e>80'5xx y!=Rp5aw’Y&hl&*"b-`8qK-4!ch*ۍq\;e$=vΌ!`!D tzLnP, rf27gr7 -y|,iVse>y!tssj{r\pњs ;(3pv3fϓr#@_Z@Nt}Bza1sd8y é>jױɿ^HjV`Cv !sXjseܥ/٪SmnN+n5CF&nw=ozwo~x>pGx^oI҆x%>qWx5q ;>r'Gr|S#8ý7yuc J͛SaÚ!ѕ~t$}Oz;tW;xϝ=z^t_8@1'5"t͐)^1w'A^ߝZ_RW@U;ZaW^\q+dA.wg^ 79q+~\_OyK[ i|Vy?>5{~[ |^ڥ }.>~Qh7g@@ s9}?75T6=jOz`ha /2P>bS#c鳊곁'Dcc $231 A4@ LA1h,K"$R"&tA\Êk-Z>Z[3?.[爳4-B4\5\49K,,-@`ZCC1sC?@AKHl'! BlB#RR#1>0C'@6M+ .> 5NO|D363545@3A(hSAW5\ŅĊĂ+8#п>Fcܿ#E"I(-B b(F*Z2c@( (^#ҭڪ@nRn:%S ?P$L ( D47˾RsEǀPTE[C,$5[,5VB04@YLōH#0K+P iAd$-F_tIÙ|fz 0d*,8,)z!*&uܥ^Z/@m&⟌DZHJvk|AU|ED5|4ʯ| Es6|33LK\t8 ~z-̈m:„<?Dʹ5t4TS5STEˈ4Z̓@$POT?>_C_,̛*(OL⒢: ̂ѬQ"βPPt Xþ+4DRKYkM8x$4\[;ClmC+%.1k*8,AEDLΕiɿ,!k% $Lb+ĈB-2?/ă`S"= ۓR5"6Rm[Չ Ʌ`idN`Կ:>FaFW@Er-[,€ yd$vQu(Bd{UNBO d8$9s8tuMUarQw5lM.׈WK͐ h8j,8P Dؓ{؆1|O.Q/iǼ1趓6:YeYmSYh٘ٙ=9 6őb"X8YOtrKE} Bګڬ}¨گZ^/N/[u;J r۹ۺj ؠ۾ۿ8eMZUeE"u7Eʵ%5EDue>؍7EpEpE`]E8 u7%Em]Ue٪=5^^^8 Ee7{_yߐGP>37Axv`+G ޷7FPN`~H 7IP7 ` `x>77-`H6` a~I 6bzSx [bxa{3a_ֽ&'v7F@`7->bxkp7va"!(bw+h4a06$7,7?:(7}+V7-9f"xc(cGP,Vc}kb>c+n!>`4a5a9~aGhUW>F0`9In^>~7@8`!F`ebd>LaH f)7Cd|HvbLַGVdRv*.e<IeBnH`H".`bv`d>3De-Q>h~hkVf&@cffR&%e\v3ffc^p^-Kh莶gNv\NcVgiiNeTMVVhyiv7Iކf}Gh.hvjVd}7kF}> ~OM㖎xkiȃ7Fe6f跮ljk+fXjvf.Wc&8&5kaNvmnF`3`ccj7ff簦:e%njfvnnm4k}idچnvhEn>kV^fiKufk]ΞimneNjfj&nN'^ey+6n~ OF&e>mn!f~kئhp~(bOlo>on'qorWqg!v韮npVd`ɎJvs<"7EڎV`@t6ifV`g廾cFn$^&.tx G~'1Ghr 6/?a\feD/r_km!A?i>ek."Vgg`hJ8OXwYDkaGtb_s'wE`Ʌ`OwFxuv}^Ez(E0GWgwxxY?ܠ#D 7GWgwy3%9ݡ6['z^u)ٍCzsܧz[zWvdz_WW{#B{/OU{`{ ©Wxz!/0X g|Ǐ>X5P!7KЁ}(KN} (I0_~C)(Ʌ8(}'xܿ}Y}DP~h}缚#FN^1(7CZN,Fh=܁TƎ+mвe!Ĉ'RhF7r#G@,E>g5E #@)b:lE`СEސdb6xJ3TMB)&%jt!O d OmԆթXq7ο\ 2tKc"SL£* HlcÆ&FCm$9tzƣ Ӧ$n"s>>f|7tW/\cyFO2m#HU;k=*ֹ6'}+O6d~wk_TxJ`@f`֖cZ fl5DXq B8ۀ[o}l@,?5q~qUTIWJuuE%|FvtJ4Gs9daeB҆HT@a'6O $Hhxߋ-IdVdLxmhTD?kN<%V8zTEYZ%NjvΪ{NŪ?*:,FJtfIJif&eYq$]bqfId.h_+2Z(E3$tFFN֭:*aJ¸gXLHBbR^KAD+lA . a!`pK'GܑLknh܏<*O$VDBkz=F\oD9tT(f(jUƃk9;7kw7Guv8=?RB̴FF7T^[1t>5ZaTW~dR:D=uUt79n-ihʒфBˣ`IL+Zg n#-DG^XΑ_JywTYEI&ƿ)_#W; IXC]ޢ@/`H+\nK8@) UvP1a 2(4X@ GƙpqH">aD(PrgkAPȐ .M8h*k&.yC$aaXY8!BD"P$)Hxݑ=;#͔2 G#At!3I&)QRgS&OJ˜/rY**Ҳ%.s]򲗺\% X :b҆ׄbiʒqPBk{%ϜJn49ѩN*}8uғ|= Go @*Ё=(BЅ2}(D#*щR(F3эrtGA"&=)JSҕ.}G@0)Nsӝ>L5(%0QIӥ2N}*TҠ2*A 5@QêX@Y tD(F זu[$}[] عJծ-a XFQE#P Ua@Ϊ@Yդ=iZ$=K[sU-l]V7`ݪapE=b;&:X*xx0tCYrQ 9|ck+f?<'f2f3+\2 K72Gd1oDn5ޞ6r J ^g=\(0k8m ӘӁZŸK]s8Ԋ3WT`GV[llX'u?MkY ]>3kўQԬp`]hq7aoݲ9蚿~mu6lR/[KXzS^荴7W@Xz#ls3CX⳶5[#v5-[`4W9?;(0y.o5 ugx?$<٣n{gؗڟ}IMVF[M/\]x@W8HYh%`J7=])=_]Y`1t4ک I BXrBXq]vFtoH= |s GLf`MZ$M`@\ X}[啵\ b!uM $_1X)V]gy")2X!"Qe+>b)Ơu0Ƒaoe! Xi-fu#Չh"=Ջu|c9j;J q=#uY5ٔ57#6"`Cؕ)!d#Y$B!F-u؂)JJHj#)dSmxVwzɤN>LO_o$H`JO&%SR6IUyM&JEi U:VSnW~%XeLvXY%ZY%[[e?_o$Q~ ^_NT]>k^"S_ZTjV]ze_f^`:M>&o0uYN9^&V. Rzff&^j_hf\r&L@@ޝNIMb&' nsBFd_#*d<[-9qNm:n6IY`oIhWJ/x///OoI//ȯ/o/0O0'pZ7G/O_poU0o0j7w00N}  0 0 o0 0Wΰ  p0"1'/17?1GO1W_1go1w1Gq@;PKs!P=K=PK=AOEBPS/img/encrypt_cols.gifdhGIF87a11cΜ1ccΜ޵{ksJ99ccBJR)νcތs{c1{Zֽ9B{ΌkBJ!s{ZsƭksRJc{{ZքkֵέƭZ!RRksck筽ޥƥR{Z!!kΜ!!Δ֜)!JJB991ޥRRsέcƭ֭έ焥ƭs,H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJLVjʵׯ`ÊKٳhbM˶۷pʝKݻa˷߿ Lˆ+^̸ǐL˘3kLt2ϠCMXϦS^ͺkѨ_˞MfcͻeN)Oμ.N؁No9]o=C6ɧO}`$^wBp߀h\-K,"^KB!$|\H@"rZ!041ނ K"HKH&yތ:]7TR#\yPڨw()d6$Mj("_f5"ix֖ 4`n4".碌6 Z~ݔOFIޠ*ꨈw#zޟ:ޛڒj뭸޵]KNX!(N_V6)"|bF+mnLkتkv-a~+n覫W-+k,l' 7G,WpM箫/q ,Nl2,0,4l8,S9@S'=_F0L7PG-TWmXWD 0!`-6[DhgD cpǽHx67Qބn7xӉ]-I @Q-՛3ңs9?]z+zխc -]Az@S6]qЃLN:k#/?:{.6>`+Q6ON鼋N_[쇻CVGp@ ZO;`-bP!7}(<0Aau]gXz6 w8=ЅO~P!z#vH$`@ )"uPP>|db|x'0uc H0Jm\T]~XE%QRøF:oiCĘHHıw\b5f#`:*h_ӮxHl'FQ~ё⻢ 䠀t#IQ汌ģ$!iK/K^i/їyL&.SƲib+~Ȝeo3겎MgnPd bkt"7LGt:I~-&@MЅ!9qShBP.S P9V[Jz$II4ӟ0M TpX 0mp[Nwʘ6%MTu.IjS=UrGͪl8X6`pիaMkZ֗jq\J׺xͫ^׾,MakAY@Zͬf7z h= HvMjW6&lgKͭnwXQiMr:Ѝt w&ťv]5 xKMz|uiҮm@sX^ ߫86&ٕςF [gOqv`%6K LH.,p:L_u K| +n`<&lL5mKu2߆ a p.@"\4(7NSN3<+gy^rv쑟R)Þuo nCtlw2j.['Vud!ك>ĻF6FUm$//yj?.乳=4rrM|?] M; 9vbp@6H -\`S^/J8эg}3~wYKgz)qjow;NQ`+QF, zPt跗@݌%EEm&sxv6 xY] 0ǗHoyOybֵ*Wkݿ?/z]F Tz\;Ԥ?q;M$eT$iE;8ybr&:ןs <>E9{Ϳky|X5'tp=w 79Hvg ؀w!7'|2tWJG~`{qwu֗}Y{YoE3q3xu4<7z8|Ȁa|7hkt'wJ}4vM5IJ}}oFsmKtOK5'ueD#4'x#8C%nlhN4s:8=}=> ȇ{؇wdփ>老x|7"zt$R4o5E+N{G7x/7zt(X3H8qN}8}-4wHXh5Vx;DM s^EJi؅"H HeEX>RGfGwcz(z8  舆hpt聫WpܸM٨H7x`ȌXp4V(RWx2яIXk7w(wO(u4hwQCLtGB5~fhD¤{hQ%8L4=t${8m8ᤎV{憐Y莲pB8vV i"YbI.F{?DK?4Ȋ882/hٗ1u)VXeiuJqQ-U؊(rMN7?LOdN OdeH~oɔmhHؑ[鑅If9%ibz)4{-iuɊي͸4 Wَɛ8ٜOI9Iw)PQ'xdxID4x7P4i:E*eyb>ɓi{XI8X % 1!i٘.ҩCgӠaYxvɗYv9i'099PH'5?zwdQS=z5C`Ucz i*PL48F pu |YIvJP:eZSg9x\:4|l_uzX8+9K(W{]̸4RTTTMū4j!#S5*]izSl4 [U 5l4gT՚źڜ:@f8:j8ͩZg qb855[;XMc1Gwl3pJ~űzgq#{k%{\K\TsZճ>Oó@Z c=c@&0qD[%.{ޅJ˴(c7\9]X[ӅfЅv5ƶt\uxzp[~k\|K^۸;[.![)U+0{0ҹ/k[ -Ak{+/[r[ \} C{c[k[ѻ3k1KK0۽+ sz};[{.{0ws*ۿ  //ﲿr p•۹[̾   3</4,/l/GE 2> B6\A<HL2}?ʌd".l4-QE\ɢ+ŃX04Ǿ dYm N>ڳ /qr8nKYJm+ έ\'>܇.,zSǣTm} Ǜ]]w<3^IťkN /[~\ͤ!nރEƇ"릎]>BŶn۫.>=.¥՜-#.imƤM*Yy`׮SN .o ;=;~.]*|鮝=ַ*")T B&9/'[>",N=z .<ѬMHM]gտlr}  ]\io*h0Oo[_ n_0/ B믹wٲ/@@ DPB4Q"‡-^ĘQŊ  pA @R%*]41̙5męcG=}<PD=3R|eԔO^ŚUV]~VX=dy&mݾWns۶n^}X`…FXb{?6)3|Yfř9'^6ZϛKs>Yj֚S{k٘k}nޫs賿mǮ@r͝?]tխ_Ǟ]uɷ^xG?~wzw{|V8UTw-9$@D0AdPc'B 4/ 740=|?1EC$Q./z1A\1Gw3G!\b! I . R)±6s+R_2[/Ä3N8t1K9Tp%"nD`)B.LECQIS?H:ӥ4]j4TQ)QO "3A Cc5VtZuR,{5OS`Ku6T! b [Y2h}۳x%ComTXe5v@(Ì'(B _.c7% `  -ѕ[2$`4McQ@6[CWMCŕ-_e~U9Nu"gwyLr/- 8 - Mx%ƺf9>,+zƃkE U޶!dgKjW5eSb0`sfŠ#/ . (|n4 /\ '-1mf]F]zm‡Rc_νet@eT[0cT { 1fg/gȩʑ '4 *xDGtQUu+~݁}셬](v7q%w~JA(E=L%ӫ?j/1[\=Qn8iT_ʀفqh@4!tn]J|~L71= ` !0c1Xa(9" 72 2ЌҠ8e( aa g)L[(/fP9! TC E\&$ lá"-厉UT`'sSQn`Ĉ2v[Ā0%/4 &Ý{+T>Ќ?}y9 j@ F_>-P!5-*Г%CEW jIZ%WUi¿2֣8UK@A &"Q1/fh3a ("Y2F2Nus(8'fL'vI A-46%Qh5QFlMI8{ZұjHGu5#42⎔27~PQb Z6%cdc]AzUj{!#-o]=2 ~icT&ÎQ&,( \h@(TAiLKwk_䊗@jN u~q(*6Qwk^r껣؎xK+q.#GvUCy^x`))żA38{C>sgKǵr9U.tt|Ns$0IQ7s3Zgzx~k) yuF=zⓟ5muK].zّg;UŪ*V#{p;o 8.752īcY +л|2ox'< M`lcT3.Q}ٞyÖVO9ߺ-$(_h~=3,.$- >:&J'J).)$ TM)i@ +`9b#(p?ឃ<#1,;;){&'#jsy@ޑ B%ԑ. 1=L?k AAd,i2|3<\<a'A >c 4JdB>@B T-2)+> JkBC?5:A3!S;8\154E 3&d!)h $ )tŸ%*-$4@m>zB1'r:>!'%,/ 1r; }tC4D1(QD3 ajC U(h*E:Ľo '=ԣ)p]:^4Fg orBE|dxH>SzTF1üs|G9q$G:GtTG 5DW<:'B$iǗI)OҾdc,?jI> FKGdb\MLE3?ě)/0ڭ,?m<2LLANn˱[GtT:Os뺮( MDǼ!Ϙ{v|:-NPԯ0PcI,){  ]0: Ӏ MM!mut. =l;ߣΙ;>  1 O3M?Q+Q4\Ӝ( M.=̵0c+2%RS<1A[R[K<7S׻H CBжBEEF-R!N=MR5@SUUTeU͎sU KQ9X7}ۣԽհUI F)V.;vIYU`iVKi]g UDEЪnopq%r5ׄ6;gcWpv5 xyfryרIWW[{Wb a |aU +ՇuR؉-WXQWHR}2X[X+SWTl-{V![3"k:%7c:DK3~5YM9C%S 3+&A];:%4eUדٛٷۓ>Vk%;9ATKaZsQG٪ZAqm3+4W5zK[|][m[]jټ}M5m1ydY]RRYԤ3]B@K*A\kQ\e\Sgq\܂)3%\]ୌŋ?KjG3EM4BҔK]MƲȊ  ӯ'쫱]߽]aE[3 _=4@^<q^fڶܾH@KY%ET-BB}´`aߞ+۾v3_(aݣb֛ ``b%`~l:BT l|`CK<țNJ"Z\U_"s_@!~ ['\D_!- "bhO-ZdO~]C #ە}*NU,N1^e v-?GT$GN?cM:$A<.Oׂ^W]D$UB_b a_8I ;J&K^(>c Li^&oRb$)`p۾NeFHxbJ_-.pLbE5_ef?:K fԨf#l&:)7.ec4DUe>n燴+uaEN`&}g.|.(bd(:ѭR^SNhNh3g -0MM:dF_>Zt*/d.Lg* Qa>>,ocDpvHb6iFi;vmur̍1˖=9l[ 2c^9=TLm(YxmS?3 ~ZIN7d62v ,on5Go{n26Ck2ُUNg[3kowWX6~ʝ!6˕5 _ZqaW!7r][se&w'()ek,74.Sr%0K+/'s-Q5jE41gK;TsS;wy=75\V3_4OT6UTTt@EdCrDW;etqY ڡt4Ar̳tFtcNI ;ڹZAS6G ?,O=˭!tYg8mRe6ږWpifBP!OpY^XSc9Fc7$$avQ`q"()bT*h'z'jAJgA$B:tꮑRעgJPAPJ1QTVHlxkzI#`Ч)~5*(d-59 AL4N4!EK`no`BL1d1(Ah^ܭ犨xP2*? r53i91?W}4IS ˢ%k= 9q W=k0O+Tـe=Si*C 7}7 >8~8+^8;8K7[>9ʗk99衋wΞ7[v_7^IƮz>֍s[.&O|K?=[=k={=?>>髿>>???럮?( p< ?*| #( R\3 r0 /P#,aOp*l0! sc%I@Wr,T,I)NenHU3CXBܠ7XK&8rj$.sFb l6K;&9sS"7@L f!3aRrlEIpr 9 б t ؠgC}S(AM6OA!2 f(<˾HpjS-EENPx::}is!2D-"IgVMeVtP `C>t"%`XkvD^Zx.lI4 % ,@+ʒFAb˨HפCyTEyڠ6UnU<0~#3! Utu%iSZ=,h ZcBW&75섶2:GUnn5=vA)frL,>-3f3[k{ڒ7(mkݦ$WxBL5\8O9.|8v RDظTvonlfFy]z֚浠hKߚԷuCZ3Thk 5@=S+uԵA<!#]KӖϒT~,(XDo5kT;Қnu;}WRhځ,c =J>q[[h{hw1s=&m*귿?$S _Yg*o?˭OV˼7{a\sQ@ȺĢ:`ͽ]Kw/-;u8{^cOuOM+Оȡ %  Lь)5M[ya` THAui}!Xm_ z RuZ9QjQ* 圑NT%&N 2Π^ b\`HR U"?!ƅS ա9`!!  "!!""&" Ͷ,$> TL"EH4&>"&&`((|bV`Rb'",:N"-*N"d.bTM"0Ϯb)# *M$J!e3 %%v8+2*-y((M)RPcGu #6n":r㡔S2-DA9c@c@J0MYc;r=7;S?F> Ed<$c+cC>CTMTU]?F=:;bKbG HZ 0lcNiHSiٖNe)[0dT$UYǬJP FzKM Uʼ &"dXBR\ULHV휅)ڰ]yR#PڗLW奤LV3YeYVff%XhDZ;YR|ꤜJTDnV\"C&r9 gfrŨɕUS f|v@w}bb_f 'Fn F2s"(G@vNW6RZMkTx.ע(uU#SJ[k2]}GU֧\'W)r&(zF%$򨢬)JBĮQMȥ`Sy& &J}Y9xhEpdExD}FhNil]knD&]'Mj!j)l2*A*@gd6c&hj$xjEt)kNP^wGHA"(yf) ^~jiYIkzp9+Eij`#q* vNF cmemmbTg*:۠FR^ LkBZJfʾ2+DHz]ʨ\ՅZ lFK4IԬ šJD`,kDH X 4 ,ІIE, Z-jm|mlvjEd,Ltm%*f!ۢm+)J.lcƎmjIN,:nBnp.)F-MZ(⎤.㱦t> nk#,&/-6/"FFJ)zo%&zplot/Vk$/ޮ.///N!![[R7#gj0jpSpr0} p c ! ҡFa0` !jSu3!KB`c(Ri`.q61> EG2 <5?n1 ~qK-+KsFd?EŠ?f +n; 1DUbe qv0G$Cp%PLɔ_^(Q5KPfV!>-kS UU~( R#KZ&h*;P4'[ҕ]Wm^|n 5[6XcayaRea":R3?`Cseި4ޛVsրX@w* nuH! 朼,3;/IEorW g2+F>3GPsZBct4$mnJ~MPWT3aJ&f(Fhԧ[g~޳Sy=^Y5)(-4YapMPRl9eF[S[{0{cV3]c 2#ٚux 4X4~)П۠5[VlQr L.5W@v|&R(zZ {1)GeouM_6pgݩ݄hSF9KjaǺvG{((kۥ4jHsv}X&wKsYn|[jIt87sZtE(*vvEC\1v?2G%uq!Xa}P~Oܿ\tK0%:Ej_fSwuw*+yk+=n7KzkVf8{2/7l~8x؉[^SQʲy6U5{B܉vjK|S8pX$bOomޓ`ADR g2lmyCv29mkKqSP՚\؟u)p8#:LК …Kw 5oʽ|z+ _nU {_ǠE"Oz#y?4Z g{Q6:x0.8Gv3K?R㹮r ;;scSwS ;a7谰ÿ ϰ S G ׻'|0ȏ;||]%;_||< <=<.ϯ@|҇$7}?=ԃ ~iƟ= ;°ΰڣQ:gj=x*@ƭLe/ٟ/=#=Y8.)AC.ܾ)Z.D!S3CMb~>>>[sT'(O+ª撚,'%ݵ$:כoxu%R 3J1S1>qj%jr@80&<aC FhD1fԸƊ v$C%`1(Oe˓([Y0+ :pПD,ѥD2U(TNW=nԩBRjUg q 62ĕ;ŭGˢ+'{g;0U(c ,Y@97peW#,lŌCvsPKGBFY81eu6=!XviBym'$nOz |ԕs re`K9jֳeN9}h{v Wٷׯm{M)4b@'m|:Ȣj.܊ ;&[ :ݎpD쐻ĈNQC#g齳5Ȩo3S& /% < ,d )Ŀ,LSQ =e0"LQ:TB @/mA1 Vs5'(nÊ'9=c ߁^[?88@zҝj}=_>WB)P!@!a~8m>T妿KxѮ(`a6+Ad-wҷr!)UN:0% i /D SB`6*(\ 3GI v"uy+]bd CFIOJIt{)>/ZKw{ ppK7>a …e< 0`aU=bOYbEbX'1Bnd-d vȺ]%\QȠMp^8M21paw찐K0ĵ1#d3O.HXP3< e[{f4*sio|r#`^ؠs v\j]C=NitC.f6U 0 M:̫e.z-1娅-of3_H 2|GV4*lVcu٨r_EU-&@QWWWZbF227h>Qj1r~ǎ_4gdq_MߖPlr̠jGī`Xйtwkcvjѝh}lSY4yfkpl/$^->2;xr0L֣tAw%'7V1{;%sV6_rffݦ`SGnktIyzj7ʣk\[qӮ.۝Ӑ>{>sk_~Ly~)ՓәVB:Di,/*3I~d-e^Ϫ&DAaMt{y9Ķf[]}_ney?w sa|AJN׾est2(0`&L/̊6(Pooጇf $Nm]H/jDݾG7NU${P2nr;PVPPx*6vOo'B }}F`-|Ppoq (,8IK^q%LeWŘjeQ oMQK K1U Qn+ϩѴ1 ،r!'!2# q"23 ,!"=20#w+$Q$- MH24 %a2&er&i&m&q2'ur'y'}ҨDy#HH(_ik00;0/)/e/ɒD32e2ɍ, ölø9RD<3s3)4/US2+rlb3u-~ u>)6ϫ7i, 23 Ym fGSY304wS7:3;q)%Ee-{o?s 9s<#fnѐ47)%Lm&j=);'8eEnMݴ/;x-BSYnӿrs:Nh;A5ΥFwHBcT!VA^#60RCCCO9;rH)=G;">GEUG3KL 7b"DHAHIo;7gDsM-H.Gn@A;KKMM A׳Kp#L#$$M5P*X,?MJQJŴ^tAKtTfUU>=UޮvhES;USWtErsclQVUZ(Vsj#E|fW}8#|G`U,+nzPOUxndQae'D\u'6T1)fvRT"ff]S;mOD5Ꜵ&D_ІU`M[ 6p_ (fXa_T6 be/vb(uJtCYfDsgP ԃPiEVj#ac"gmg2d&Xb^_P5;0uP 976j6feeaa[H kp%hNΖctfo2 op(wBt1lthq˲qqolէ_9= cs9*",q~gkkb4CuWI-]rsrwWӺFLx5A7HN`WƐ1'@sur74t|:w}ͳ}~n7sp\y78/)-ղ12rf-.=X WT*5}RJz2TZR^3/;*U8JhxvXRozX0'8x8aRԤ8x888ȸ8xٸ8鸎8x8 %7K J` 99y y)-1&7h EyIMٔ ʕjPby|Z9` +`}9Ezo٩ycY_Y`ٙ89yJr@yYY9gy*Y%ٕٝyjx:z *qYڜٖ噡35z+ڙk zIMzE j9?ZY%#:gڢeڞ[D}: BaZqaz97]:;zۙCZzk2ozٙoYYڢ:oڝkکf ڦDL`˙7ڦZ'zڰ=ڙa :%{'[Xmmzg7;=ک癚U(a;ZR@D}ME{C~ѝ ~n^nNuޓ,SߣJJJީv ˧*~Q[E9Z9^K۩>~ A>j䣴2SU#LJ;ڛjk ˪u>DYY/ 厞 > 2?}5Yw*`J_?˺umDa|}Y0'j$bnN.؈ u` E Z@2@a 61b+NHʼn2vXdȍ'ܸ!# R`9!@I0Y :{IgP MhpIB\iT2zU UUvU4ɂլZlFe[h۲={׭o]۶nٹijWp_G2dM/Nh1fʒ3(3˝KDRK 2l@t0XiϦwݼ{ <.:4jlEytҥ6lyҝ#k'ɓ.UdZfPs [ %@]K+`ha]U%H`%Vaz TC\Xi(aGQUhVmU_fmfvqٌ6^7>w:JD Bkv F\RNIeVe)GPM@b b-]iቖnn.gk{6EߝuQfDZ҄S)v'%iMbC3pA$i F`jי~d=F9~FYHrE,.Ȕ袕jzenmer6\΍Y2&7,iT&K$ΪGēPeCFT_/`8qJ(F 10𰴧Rڠl괌Rl2_Lso:&îٮεE; ѽl=@[ mV_54d!u.uaS@g"ݛ$,.oCIQQ p phC,_.{(ay|moUa;^1 >KR ǚ7y: 2'G*#>O#h;Sm IoJO9zOO}^_j/6<->_=:}vv=NGRBwA8@4y[AiѮ^Ih ^HA)EW,\  ^ 0Co1d!޺t9; M…,m2 [Đi~OX>,`\rB %X(fǨ|txs! e2Rq,!4Cld/?Jc"F\k@~F@FLmnYҐt$-IOҔt,=)іT/e ќ괎~ T @ә*5SzF=jPZԣFs ְ5(RYzǭul}jYjV'ۊ׼F|_ v-a*zmcJvU(]wjvg? Њ6)qNԪvmk_ vmovo w-q*wmnpK Jwԭujww 𞵮-yϋwm{ n/w ONoD ,+x n $1p}! kx? בEx,nKb " q`>8;FtS GD$򋏌$+yՍ#Rcnj,lebYL 0Os\en9B1,8yt0+r_3WD86D!Y| }h+HwA#zё?St3iGѡFtOTw}m @CZҢu-}[7ֻ mk_ku{-kc{W hK{l]ԼM4#x浸3Z3ms˛:$whNt=o\ѝNvw:5/}?$]qWfnoacNK<wo:ΟkXtozҦ=>c`iJ #ok~w?Ѓ/Oo|`obv7:urX =ǽqZF$}nA.CkɭF2;Gs|l5o~o91z׮iE'~qHGnnivl~ Ȁ qG{6qvNw0w~tt_ls 'llv h'_:@tnfu(~dׂ(tvv!vX~(?]m4(roWWusDppi9(vX-Y%N(%W֗pǂ2GqgqS3xaoM|ӷt/8tml HIwrVȃNhpՅmpF v7jf4nHhpnwbhn8Qa=xG(Et(Պvxys((HŸy6Qʘhd@X1ȍwx(`ވxs8hHHmhhhu({0(]Re {kȈYxH(JG|L.痆788i# E6~0)w uGhFcvwZ7$r8IhVj'[mْXzXtȂey{ve8vH7`ȇ#8ɕwis=بvD ɁؔIlc9Bgex 9ؗ%ǐ{v%8O(I~qz@yivb{G' ݈uH)֓$x6S9| E؄r% 阈99m_zXɔGpYvXjş)sH ʠ ڋ ] *jBUK #"J'+ʢ-/ 1*3J5j79;ʣ=? A*CJEjGIKʤM9;PK82ddPK=AOEBPS/img/ols_auth_user.gif GIF87aذQΖnnnfմnnfΌ疴fnfnnnnf۴nٴf{{s==9«3f2fʰةf2ذح2fذ2һʥfff2حfrf3ڟfw뺏22wԭ2r՛f2rf2r22rfԏꭼwrwżrlrJ9?afFNT/̾aۏvy|]ѻe?EϊmDJ$otx\vйotSzy[}ߥڳӅi͸ѵϸz\ߠĩκrԛrԛrrrrrrrrrrrrrrrԛrrrf2񼏙2f2fխwfůů2wԟ,H*\ȰÇ#JHŋ3j(1Ǐ CIɓ(S\ɲ˗0cʜI͛+ɳϟ@ J΢H*]ʴӧ!BJիXJʵׯ`n KٳhIM˶۷KKݖrn޾ wÈN̸㘋KLdʘ3络!At2e3EGTgY[vУK~}Yt ۣlڶ;2f6|n7୑5p\}>5ҫVv4m{lo9}x~Y86& x N%GϽ&ntiXC2fi"F`i܄q(߉ء{ߐ(_8J+:cHuly$[5Q1P"sZ)9ԃEX܌BV7enaWZThc&̊t'ZR%uGihڹfbZ}睂**Nd)56h囿3z)G> HI߭j qjjpMu F`2xfn%Bޒ!YZy˶Rya3Y4'2z'%Gmwb%̮YWg,w<( gl(,0,4l8< ,trAmtgE4eI/m>-5Q,2O@*KJ\{RgwXRnIsbU\L\r jm!]1f̓3FG=S06>륏  }xIG>i Ay][v5 xZk"E&kN\B=,LE82zM\9QpL_F9>Όḅ(8jHH饢ZD!8UшK"#8-R^"HFpSGӣ&?HAAtIůb,ḏPe0ŲSV,! @}%{`&9Llbs$ *>>%I5[^&2e#פ#3+kq6c5Ps 8%DnX!᳄+JGFo\EEWJImWgSkQzT<'WϕJ2גĭpT398\gHݱu49+f̏VT=kRX3 N 6q5EgPqMEJ!DE.sg4-V_𕱞"%>FH~WsA@,nc{YΒvً]V|G0J d$;]V>{YC/ ja,@JC|e@r5^Z Z Ų;xmeVLB"?r+\b y/_c`f\c-1*؊2'X,2<-8Dk*ۑJA i4V.(>H&1=KHCnGDs15WUeq5gYW5w ]:[-a;>{e;;ώvU|-jSuB6}m)7uc6yoc7-5>3#.SS⣾8KwCh&g *0O^(eȹw\}rB?Oy> R s'NuOI͢ _y{ Nd&['%.}oyuLۄ$> :sNJܽ&i $"7&K#}-yd+;A>z7=EtwCf)!|w!{+Ş| D_U@lڃCaG@:?vQ8(p "o8 '33$s"8$X&('Kr202s'X&*X,t7g>txB~8#?wtCMNsEhQltR5xuXRHs]G|JWvf^Uskw{؉9=(sxȊ5*燴Hwt狿ȆSI'|xƈ{hʇx}h}8wsٷ7茖AI}HuHx8WI~8H;w`P9x t H ن)%x(29-$4 749y~;4=}?4A|CvE{G8K{?[Vi%QX5cY ZbUyY2QVpa2R}v)d{\[y)}hPi$1&l \ryy;] (Zp)h!#Xny31T Q𕰉 V`WdbR𚢉VI9Xl `m` !w‰u))Wp9_0T97yy_I cٖ)gה뉕ٟTybwy$ Ne) "$' *Z^tUPi+jTDV5N)+~IMQ:PjU#z4*6 Iz;iW9*g9?7tZye:YhjYn*wzJꆇyd:jY ~  ]ze* ڢJVP-*uC)Ozy yڞI9 ;jŠĊzJ˪阾Iٔ\VѫOZ:@j숮YUC"C4G2423а;[{[2P)'3,4rJk2 {*k3#0)23-[n]8:25{&1B2=?{):@ =L;+[Ψ+Z[3I6`N M+'Kl\ J{J01CEIHK7@KL6%6`z˳|k~ek2ky[kAY _CK@{:඄˴k۶<@۹*zC@n;L;n{FۅJcۺkK%#]+DU{ ⻾xKK@@bk2P`kJ d[;蛶;k|8%ثL{  2ۈ k%3 Æ*[nۻ%|.pnK{"L[kM˾w{K?|2'? 6o{ŨcAů3pLrt,v|2޸1~܁܁3@ȎȐɒ<ɔ\ɖ|ɓ{*+ɠʢ<ʤ\ʦ|ʨʦ'K!Lr|rLq̉,Al,lqLD\1/+`#P0Ԍ\q0UA9 :,9'0,qؼ `T `0L0 M]',}@9! }7!0*]$,p24tU= .V  Qtoh%F;M,Mh ?wn$)*p*v=99\Ǭtg >X>^]!;!fԂP=W@97@َ] \ԴқM֝tԁ=<7ss]z-^= =Ϙ]=sآM`F@ =|˶ p ;lo܊o-n!#8.q%2r4^B}8:v>1=Dn1C~fJ1IP.QV~XZ\^;PK{_4PK=A!OEBPS/img_text/netmgr_adv_sec.htmp Description of the illustration netmgr_adv_sec.gif

This screen shows the list to the right of the Oracle Net Configuration region. This list includes Naming, General, and Oracle Advanced Security. Oracle Advanced Security is selected.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK[_#upPK=AOEBPS/img_text/ols_auth.htmV Description of the illustration ols_auth.gif

This screenshot shows the Review page, which displays all the settings that you have set for the Oracle Label Security policy:

  • Policy name and the user to whom the policy applies

  • Privileges (READ, WRITEUP, WRITEDOWN)

  • Levels (Maximum, Default, and Row: SENS; Minimum: CONF)

  • Compartments (none created for this example)

  • Groups (none defined for this example)

  • Audit (none set for this example)

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKPK=AOEBPS/img_text/login.htma Description of the illustration login.gif

This screenshot shows the Login screen for Oracle Database Control. The fields are as follows:

  • User Name: Enter the name of a user has administrative privileges, for example, SYSTEM.

  • Password: Enter the user's password.

  • Connect As: From the list, select either SYSDBA, SYSOPER, or Normal.

After you complete these fields, you can click the Login button to continue.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKC&LfaPK=A!OEBPS/img_text/netmgr_profile.htmg Description of the illustration netmgr_profile.gif

This screen shows Oracle Net Configuration tree expanded. In the Local node, Profile appears first, followed by Service Naming and Listeners. This area appears in the upper left corner of the main Oracle Net Manager window.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK3SPK=AOEBPS/img_text/ols_config.htm^ Description of the illustration ols_config.gif

This screen shows the Database Components window of Database Configuration Assistant. From top to bottom are the following components:

  • Oracle Text (selected but not available for selection (grayed out)

  • Oracle OLAP (selected and grayed out)

  • Oracle Spatial (selected and grayed out)

  • Oracle Label Security (available for selection and not yet selected)

  • Sample Schemas (selected and grayed out)

  • Enterprise Manager Repository (selected and grayed out)

  • Oracle Warehouse Builder (selected and grayed out)

  • Oracle Database Vault (not selected and grayed out)

  • Oracle Database Extensions for .NET (available for selection and not yet selected)

The lower right corner has a Standard Database Components button, which displays a page listing the standard components.

The lower end of the screen has the Cancel, Help, Back, and Next buttons.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKPK=A!OEBPS/img_text/ols_new_policy.htm@ Description of the illustration ols_new_policy.gif

This screenshot shows the Label Security Policies page. It provides a search field (Name) in which you can enter the name of an existing policy and then select Go to find it. Existing policies are listed as well. You can perform the following actions on an existing policy: Edit, View, Create Like, Delete, and under Actions, select from Authorization, Apply, Enable/Disable, and Data Labels. The existing policies are listed with their name, whether they are enabled or disabled, and the name of their OLS row column.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKۂ†PK=AOEBPS/img_text/ols_dlabel2.htm} Description of the illustration ols_dlabel2.gif

This screen shows the newly created data labels:

  • CONF, whose numeric tag is 2000

  • PUB, whose numeric tag is 1000

  • SENS, whose numeric tag is 3000

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKvPK=AOEBPS/img_text/ols_dlabel.htm Description of the illustration ols_dlabel.gif

The surrounding text describes this screen.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKKPK=AOEBPS/img_text/ols_hr_added.htm9 Description of the illustration ols_hr_added.gif

This screen shows the Authorization page with four users: HR, KPARTNERS, LDORAN, and SKING. The privileges for HR are set to FULL.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK"Yq>9PK=AOEBPS/img_text/encrypt_cols.htm Description of the illustration encrypt_cols.gif

This screen shows the Columns area of the Edit Table window. (The Create Table window has a similar area.) It lists the following columns for each column that you add:

  • Select: Enables you to select a particular column.

  • Primary key column.

  • Name: Enter the name of the column, for example, UNIT_PRICE.

  • Data Type: Specify the datatype you assign to the column, for example, NUMBER. Select from the list.

  • Size: Enter the size for the column, for example, 8 to allow a number with 8 digits.

  • Scale: Enter the scale for the size, for example 2, to allow a number in this format: 12345678.12.

  • Not NULL: Select the check box to set to Not NULL.

  • Default Value: Optionally, enter a default value for the column data.

  • Encrypted: Select the check box to enable encryption for that column.

Buttons preceding the column definition area are: Advanced Attributes, Delete, Insert Column, Insert, Encryption Options, Previous and Next, and Set Default LOB Attributes.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKҜPK=AOEBPS/img_text/olsag008.htm Description of the illustration olsag008.gif

This figure shows a user accessing a table with that the row labels UNCLASSIFIED, HIGHLY SENSITIVE, and SENSITIVE. The user session label is UNCLASSIFIED, so the only rows this user is allowed access to are those labeled UNCLASSIFIED. He does not have access to the rows labeled HIGHLY SENSITIVE, and SENSITIVE.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK rPK=AOEBPS/img_text/ols_apply.htm Description of the illustration ols_apply.gif

This graphic shows the Apply window. It provides a Name field so that you can search for existing tables that have Oracle Label Security policies. The window lists each table, its schema, and its Oracle Label Security enforcement options. To apply the Oracle Label Security policy to a new table, click the Create button.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK悔PK=A!OEBPS/img_text/netmgr_encrypt.htm) Description of the illustration netmgr_encrypt.gif

The next step describes this screenshot. This screenshot shows Encryption: SERVER and Encryption Type: accepted.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK?T<.)PK=AOEBPS/img_text/dv_realm.htm Description of the illustration dv_realm.gif

This screen shows the Realms page of Database Vault Administrator. The contents are as follows:

NameAudit OptionsOracle Defined Realm?Objects Protected?Users AuthorizedStatus
Database Vault Account ManagementAudit on FailureYesYesYesActive
OE ProtectionsAudit on FailureNoNoNoActive
Oracle Data DictionaryAudit on FailureYesYesYesActive
Oracle Database VaultAudit on FailureYesYesYesActive
Oracle Enterprise ManagerAudit on FailureYesYesYesActive

On the right side, there are Create, Edit, and Remove buttons.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKPK=A OEBPS/img_text/ols_auth_user.htmf Description of the illustration ols_auth_user.gif

This screenshot shows the Database Users area of the Create User page. User SKING appears in the list of database users that have been defined for this policy. An Add button is next to the list so that you can add more users.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK9PK=A OEBPS/toc.ncx  Oracle® Database 2 Day + Security Guide, 11g Release 2 (11.2) Cover Table of Contents List of Tables Oracle Database 2 Day + Security Guide, 11g Release 2 (11.2) Preface Introduction to Oracle Database Security Securing the Database Installation and Configuration Securing Oracle Database User Accounts Managing User Privileges Securing the Network Securing Data Auditing Database Activity Index Copyright PKUÌ PK=AOEBPS/content.opf(t Oracle® Database 2 Day + Security Guide, 11g Release 2 (11.2) en-US E10575-08 Oracle Corporation Oracle Corporation Oracle® Database 2 Day + Security Guide, 11g Release 2 (11.2) 2012-09-19T19:08:40Z Provides an introduction to securing an Oracle database. In addition to describing how to manage security in a default Oracle database, this guide includes beginning level tutorials for Oracle Label Security and Oracle Database Vault. PK((PK=AOEBPS/dcommon/prodbig.gif GIF87a!!!)))111BBBZZZsss{{ZRRcZZ!!1!91)JB9B9)kkcJJB991ssc絽Zcc!!{祽BZc!9B!c{!)c{9{Z{{cZB1)sJk{{Z{kBsZJ91)Z{!{BcsRsBc{9ZZk甽kBkR!BZ9c)JJc{!))BZks{BcR{JsBk9k)Zck!!BZ1k!ZcRBZcZJkBk1Z9c!R!c9kZRZRBZ9{99!R1{99R{1!1)c1J)1B!BJRkk{ƽ絵ތkk絵RRs{{{{JJsssBBkkk!!9ss{{ZZssccJJZZRRccRRZZ))cBBJJ99JJ!!c11991199Z11!c!!))Z!!!1BRck{)!cJBkZRZ,HP)XRÇEZ֬4jJ0 @ "8pYҴESY3CƊ@*U:lY0_0#  5tX1E: C_xޘeKTV%ȣOΏ9??:a"\fSrğjAsKJ:nOzO=}E1-I)3(QEQEQEQEQEQEQE֝Hza<["2"pO#f8M[RL(,?g93QSZ uy"lx4h`O!LŏʨXZvq& c՚]+: ǵ@+J]tQ]~[[eϸ (]6A&>ܫ~+כzmZ^(<57KsHf妬Ϧmnẁ&F!:-`b\/(tF*Bֳ ~V{WxxfCnMvF=;5_,6%S>}cQQjsOO5=)Ot [W9 /{^tyNg#ЄGsֿ1-4ooTZ?K Gc+oyڙoNuh^iSo5{\ܹ3Yos}$.nQ-~n,-zr~-|K4R"8a{]^;I<ȤL5"EԤP7_j>OoK;*U.at*K[fym3ii^#wcC'IIkIp$󿉵|CtĈpW¹l{9>⪦׺*ͯj.LfGߍԁw] |WW18>w.ӯ! VӃ :#1~ +މ=;5c__b@W@ +^]ևՃ7 n&g2I8Lw7uҭ$"&"b eZ":8)D'%{}5{; w]iu;_dLʳ4R-,2H6>½HLKܹR ~foZKZ࿷1[oZ7׫Z7R¢?«'y?A}C_iG5s_~^ J5?œ tp]X/c'r%eܺA|4ծ-Ե+ْe1M38Ǯ `|Kյ OVڅu;"d56, X5kYR<̭CiطXԮ];Oy)OcWj֩}=܅s۸QZ*<~%뺃ȶp f~Bðzb\ݳzW*y{=[ C/Ak oXCkt_s}{'y?AmCjޓ{ WRV7r. g~Q"7&͹+c<=,dJ1V߁=T)TR՜*N4 ^Bڥ%B+=@fE5ka}ędܤFH^i1k\Sgdk> ֤aOM\_\T)8靠㡮3ģR: jj,pk/K!t,=ϯZ6(((((((49 xn_kLk&f9sK`zx{{y8H 8b4>ÇНE|7v(z/]k7IxM}8!ycZRQ pKVr(RPEr?^}'ðh{x+ՀLW154cK@Ng C)rr9+c:׹b Жf*s^ fKS7^} *{zq_@8# pF~ [VPe(nw0MW=3#kȵz晨cy PpG#W:%drMh]3HH<\]ԁ|_W HHҡb}P>k {ZErxMX@8C&qskLۙOnO^sCk7ql2XCw5VG.S~H8=(s1~cV5z %v|U2QF=NoW]ո?<`~׮}=ӬfԵ,=;"~Iy7K#g{ñJ?5$y` zz@-~m7mG宝Gٱ>G&K#]؃y1$$t>wqjstX.b̐{Wej)Dxfc:8)=$y|L`xV8ߙ~E)HkwW$J0uʟk>6Sgp~;4֌W+חc"=|ř9bc5> *rg {~cj1rnI#G|8v4wĿhFb><^ pJLm[Dl1;Vx5IZ:1*p)إ1ZbAK(1ׅ|S&5{^ KG^5r>;X׻K^? s fk^8O/"J)3K]N)iL?5!ƾq:G_=X- i,vi2N3 |03Qas ! 7}kZU781M,->e;@Qz T(GK(ah(((((((Y[×j2F}o־oYYq $+]%$ v^rϭ`nax,ZEuWSܽ,g%~"MrsrY~Ҿ"Fت;8{ѰxYEfP^;WPwqbB:c?zp<7;SBfZ)dϛ; 7s^>}⍱x?Bix^#hf,*P9S{w[]GF?1Z_nG~]kk)9Sc5Ո<<6J-ϛ}xUi>ux#ţc'{ᛲq?Oo?x&mѱ'#^t)ϲbb0 F«kIVmVsv@}kҡ!ˍUTtxO̧]ORb|2yԵk܊{sPIc_?ħ:Ig)=Z~' "\M2VSSMyLsl⺿U~"C7\hz_ Rs$~? TAi<lO*>U}+'f>7_K N s8g1^CeКÿE ;{+Y\ O5|Y{/o+ LVcO;7Zx-Ek&dpzbӱ+TaB0gNy׭ 3^c T\$⫫?F33?t._Q~Nln:U/Ceb1-im WʸQM+VpafR3d׫é|Aү-q*I P7:y&]hX^Fbtpܩ?|Wu󭏤ʫxJ3ߴm"(uqA}j.+?S wV ~ [B&<^U?rϜ_OH\'.;|.%pw/ZZG'1j(#0UT` Wzw}>_*9m>󑓀F?EL3"zpubzΕ$+0܉&3zڶ+jyr1QE ( ( ( ( ( ( ( (UIdC0EZm+]Y6^![ ԯsmܶ捆?+me+ZE29)B[;я*wGxsK7;5w)}gH~.Ɣx?X\ߚ}A@tQ(:ͧ|Iq(CT?v[sKG+*רqҍck <#Ljα5݈`8cXP6T5i.K!xX*p&ќZǓϘ7 *oƽ:wlຈ:Q5yIEA/2*2jAҐe}k%K$N9R2?7ýKMV!{W9\PA+c4w` Wx=Ze\X{}yXI Ү!aOÎ{]Qx)#D@9E:*NJ}b|Z>_k7:d$z >&Vv󃏽WlR:RqJfGإd9Tm(ҝEtO}1O[xxEYt8,3v bFF )ǙrPNE8=O#V*Cc𹾾&l&cmCh<.P{ʦ&ۣY+Gxs~k5$> ӥPquŽўZt~Tl>Q.g> %k#ú:Kn'&{[yWQGqF}AЅ׮/}<;VYZa$wQg!$;_ $NKS}“_{MY|w7G!"\JtRy+贾d|o/;5jz_6fHwk<ѰJ#]kAȎ J =YNu%dxRwwbEQEQEQEQEQEQEQEQEQE'fLQZ(1F)hQ@X1KEQE-Q@ 1KE3h=iPb(((1GjZ(-ʹRPbR@ 1KE7`bڒyS0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((?l:ϊw "{{-3j3%{sj~2= 7 ~MڅKrHb|P3 r=Ҁ +Ş/$iu7=q2dԂxn⸷9$l]H #WI񯄴;\[ݚD8C3p&0U9^AnK vI+!I8>5(zqj03Y.X ,@85ߛ8>pq8=} \xmm常8` $Q@$v7zwp]ɝA GX;y_]覮O&4 SPtY.X),@84U=7Vuv K4,$g{@<+uqtiGw3; I@ORմn5MBp%8'ƫ%u6uBJrHRN2@ϸ J(9i[[m͹۞v8ހ=e>#P3qky6yFH@ᯀ^|+jCq"4AC: f2qh( |vk~-bүCK=[  FUs׮xW6+𾝮ZS$n2@ 3qlQYWcag]E7dt&iͻ\iz KYU pJ3=\jnqko{Z[Ov-eF9`0=G\yi}ŭim=춎if@NXr ( +'u/x:]ދ{f3W/ F:y@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@?J o^^7xm|uX-MI$`%$xs^ ߃kc@!&/̠o9+v Ď9zEܖshPy 4 Q^_/SMOK9.ڍ腕CnRHp2ʛNq@/^BDKk(4S![|8'-c94_O^s\˿?03@}94|8״mI < ZN,x,S'c*/Cl<G>G=g<1?3wcÚ/E\dMy0"f&] gvyŒmO^ &uZzW:K"0Y2Fd˧xt$M>S/qp#fX[rSz]Yk}/[oT.$ d$$ {ݷ.uRO-$v{M& (E1%;L'f? '6{>/,̤F)I`z`\/n-jMn%Y-xUQ^71 ISz_7g7RFV$r aӸJ> jIĞտ4_.XYH|x|۸>1}ޟ?x"7VQ,7I4vT10NMzE~yxU^^W=v8?$ źG4ck3I8˴mf1$)=H/t%_^ѭtg+h3_~H8:y|B>^mD~X[`F~m@7 0rwe%u6uBJrHRN2@ϸJHuw҈' *E-sԞ m| {lG%J%[ (n巸9 I]H#W?O5 >!_! ^Ik׉xL>ѕu#/ݛg+cB eʻoI?p2xL='h%ԮoIjڅ<1\DY@FFPT\fx?ڤq +0,. 9fʧR9+o\kSi2^ ^0-+0eh|,V4+Jj|1"d>wpp0';@=߆_ [h˿ݍqszW? K ;q+( zno03haX r(뛉gG.;A'<* =vȼ}rY h F#o$ԄWAEg:95{/m['dɝ7)ꭂpgXw_2_zW.d v#ʺ(/|/.5&;B$xi9(q,Mw@x2C#|E;Cc#Z( M;ijb76sz>x&G {[L fb`mw;ӥvP?k>a-$!I!]KmAۜdgMWJ43S6Ka *y>LO,!#v*zu]mAuK2Ⱥ%v_,s$]clQ@޿ x]cCvp:BBqqxG·G t AیuPs ռG4I#C+ q1Yñ˰dPI `)N[X]bR$(8gU( x[FvgX*yz1%P/ῇ~%}H,hL b:M;zҐ g7' 1qCf>+k1P6[`H| ~ĺW#$rj>>ГDKgG$d qE_5[+[o_hÏ(B/?xx<x+KMeMb=ZxmnUp*;<]%s]94[7'Ԥ $^o+|U- UuoV 2Rː;NbNPPQ^'lV##9@/5f5=?{.$,X^qWJ`<ۤxA%:A%P)¿̅CG#~hn.%"BI#TP2I'5%p/4ֲyr4I ;AI"FUf/\\3s/c8%Im;]TZ|) 3⎥qyٕbb}8#yOkmcm>N^E9ՙxkgAZjSO-+ZƌK2u9ޔoykjvwGUj0## G }&~g;cYzqgmh(O]đ܅FʾYa`P*E5s_WW~ 𮣩x/\ԄbALn-0bURUY*CiL!_Iu4ϴJXrp@Ex>}wn|I]V};ÒJEg lo]?(`čK705g5終XVI]ϴu*۸o,va}oryQ$о7#T2V(oƶ^+ѡ i%PbQ~w=;}zJ({xG㧇=-WZH`v0s!n(o-f}1 ۪HM36 zoֱ [[.㶎[̥f;su{x(*?m{^LӮo$mby}EҼþ~2Kuji/] %ݴ*UTl C9]nsρuֶzC ԡ+0ld)?QEPEPEPEPEPEPEPEPEPEPEPEPEPEP]ω4[-f=T$H+y҇fUٜn% :  !y$($sc^8:|,1;+Ɓ`<ꧯaWgDpp;cB(?6-3\[m& ءW<>33^x7/{ĺgu+,=s$C$K[]vg9 Տj?3¿%۴S.Vi: ('^^ڵ龵tUW!|u9tN. `9Eʩf07p82H f&u \ɼm  Ԓn|n?ԼWs_xw*a#qkT𷄴;MB!O kב{$HUQFTpfK5  !y$($s]4.c_ZB3W'n"3E%a\NЊfxnu&X]M^9#`e 8 sQ_[ߵu)>Ⱥ6M2Yܬ zrcuz^hz_, \7ǫ6Maχ$K[]vg9 ՏjIaY?TU_W []i")41|ͣdepx+Zoi.{YUڪ1jsHHq&ȯ-dpC089 ~+N]o$&%XYK w͐X6 0Ewݟ|9iI<< r@Ï~m]VJ\i,PAcd,pw==Vr7s@'j+, 2N8x?my';CUUe<y[]n10eB?u >,-l9k?lm/:hndX㼰L $0? #Kyíy,4 -Ro'hbRx@o FYx-N%r^E@f`1+񯂴hzp+Z ˃Xc{zP: *O꽂??j8&oy~g7cUzv?Nѷx6fSTԡ+uUJf܌s=+qL.6]_Kh{)i Ш'dz Ai2Yλ+6$OpFݟ|9iI<< r@%/W:N ܰ0bRQ̀%$}.]&OqݥȜPF=A}\M Y/bkiX\Op\lrItQEQEQEQEQEQEQEQEQEQEQEQEQEQEQ^Wwľ(ѵ ~㱟WݚHQԶ ܬ@A߽Sg 6}Z?ϒ/^{5N?WeX/-~n { ܲ6d滊((+еmJo7\Z4bFoʦp܁תPEPEPEPUm=:?2'dF`C FA=*k>I$2<b@ A]%PE~*Ω;?Lm"bRbG;fPQ1A=RWYkzVGtێpI#{C}K*dW=UH A(B+B {DoF?ppt| ]fTtn亝e( fQNqɮo?IoOow!~>fosQ^oS:ϋy^}=AW< 2Տ^@)35ƕHy7:q }zz5?wyWZ}>7;F$EPExu|.o+즞&HpUpqkCk6$hWـ$+X((+~x'_^Q {wI!I$C1$'ֻ (߁50zDIe%23AEQEQEQEQEQEQEQEQEQEQEQEQEQEQE|:˵ii;Qd,p98㯀m,R{ IHU^:GO^+4xᵽQ$ȡn AbWៃum.; oik2zWU (+/Ye+ݭլpmǁ0`gNį:|?_xWܶ[:O_8RwR#Z#lϸ.*J$䬋?O$ՑVF9Ei |Rā'85¿Vs]|MS| &o$o[\֗VF=Y,>VRQK? "]Ywu6-NMx$ATT?8㞃ᇋOQ\08A+:7O|5~5o[&Md"'B.f21#%FGcI ~#xz e6`pK1VS./U=Kf#Om&9Pj6RP9-;I vn>1E=Y ǧ@#M[r3d>X7 _R:eoq4l&; 8 I@ht?^,>־fW18lpN1yއC$Pe0؆0`Ó }v+ ͥZ@>6I4@q8\^>rKu-KEWG1)pO>gny`E"eO39'eۅҸ}G\i~ ֟/ueÌ98*T74> |s=NA(B쓑*IAay?mz}ۭΕl\S&RUVFqryOi7`Mv#=!gc%*k<7? iXKtH$2nJT9^_?][oqSY PȒ38zt|13Ic`㻍B#0rsր:J(_^:IF8=deg  ^,ǀomO:UKxC?:ATq^GlCy#'\3޸Tu7X a,Pr9 9s?yZԼ _f1xKkw|Lp69xn:d(IaY?TUC²訫(6!J#O<5`_mCۿG]?xkV)h(x0OKEpA\BA#:.4ȼ)H~$q -v9.h|;wo9noK$(wg۟`CioJ?jx߹[1uF ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (8xcV/|#smWŠ(< |E񖛨(F伏Un$||;'Ɨm#WͷeqaAEx?9 /YlF*y98%֣(o2I2@12K:(Ӽ ?| E/!~t>;'Ɨm#WͷeqaAEx?9 /YlF*y98%֣(o2I2@12K:(Yj[B@یZO`u( g8Ke]R嵿Z"Vu@\?|rۑJ(7~$e ؘqܡr8”,?Ѵ曦'LyyIybDž{>Eq~gF2]jUXg'sKmy>Ŵg\Y@`G$((#ඥ|Z'5M>DY`@@Mps>acoiqv$0vdpV(?Oo4x5гDѢ!Ċsp1^Ex*Y?)zG{Öe>u|va[P\ş M_=Ɯ$]kJIDE* duNx|g e bwMQ?w2$ o?SO[!\ *_t  Exr%*_}!#U #4 & ֩3|b]L ]t b+Da&R_2lEٱZ`aC)/яmvUkS r(-iPE Vv_{z GLt\2s!F A#葡JY r|AA,hB}q|B`du }00(䡆<pb,G+oB C0p/x$…– ]7 @2HFc ) @AD \0 LHG',(A` `@SC)_" PH`}Y+_|1.K8pAKMA @?3҄$[JPA)+NH I ,@8G0/@R T,`pF8Ѓ)$^$ DDTDlA@ s;PKPK=AOEBPS/dcommon/darbbook.cssPKPK=A!OEBPS/dcommon/O_signature_clr.JPG"(JFIF``C    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (?O '~MQ$Vz;OlJi8L%\]UFjޙ%ԯS;rA]5ފ<׈]j7Ouyq$z'TQuw7Ŀ KX߁M2=S'TQt?.5w'97;~pq=" ~k?`'9q6 E|yayM^Om'fkC&<5x' ?A?Zx'jß={=SßM gVC.5+Hd֪xc^)Җufz{Cީ|D Vkznq|+Xa+{50rx{|OG.OϞ~f/ xxX[2H )c+#jpUOZYX\=SG ߨC|K@;_߆'e?LT?]:?>w ڔ`D^So~xo[Ӡ3i7B:Q8 Vc-ďoi:FM292~y_*_闱YN\Fr=xZ3鳎OwW_QEzW~c]REeaSM}}Hӏ4&.E]u=gMѠ+mF`rNn$w9gMa꺢nTuhf2Xv>އ a(Û6߭?<=>z'TQuw7Ŀ KX߁M2=S'TQt?.5Kko\.8S$TOX߀Gw?Zx汴X)C7~.i6(Щ=+4{mGӭ¸-]&'t_kV*I<1)4thtIsqpQJ+> \m^[aJ5)ny:4o&QEnyAEPEEss 72,PDۢ׃K W{Wjr+wگ iM/;pd?~&?@;7E4gv8 $l'z'TQuw7Ŀ Gֱ=ɿ&G?. iR(5W*$|?w᫼gkmIbHe/_t>tg%y.l}N5[]+Mk0ĠeHdPrsst'UiC,y8`V%9ZIia|ܪvi מYG,o}+kk{YbyIeb*sAtի82zWoEK5z*o-eo;n(P u-I)4Š(HQEQEQEQEhz(X/Đ?}Bk˩ ݏrk0]4>8XzV? }6$}d^F>nU K ?Bտk_9׾x~w'ߞ  uDŽtL ؈5c-E/"|_Oo.IH쐍=i*Iw5(ںw?t5s.)+tQ2dUt5Vĺ.jZ"@IRrZƅY4ߡ_;}ų(KyQf1Aǵt?sZg+?F5_oQR&Dg߿]6FuRD u>ڿxl7?IT8'shj^=.=J1rj1Wl$얲cPx;E,p$֟ˏkw qg"45(ǛkV/=+ũ)bYl~K#˝J_כ5&\F'I#8/|wʾ_Xj Q:os^T1.M_|TO.;?_  jF?g N 8nA2F%i =qW,G=5OU u8]Rq?wr'˻S+۾.ܼ 87Q^elo/T*?L|ۚ<%<,/v_OKs B5f/29n0=zqQq(ª=VX@*J(э(f5qJN_EVǞQEOuoѕOuoa5}gO?:߂8Wא|cڽ~]N&O( (<]>͠@VQ=^~U ̴m&\խ5i:}|}r~9՝f}_>'vVֲ$~^f30^in{\_.O F8to}?${φ|#x^#^n~w=~k~?'KRtO.㌡h![3Zu*ٷճ(ԟ]z_/W1(ԟ]v~g|Yq<ז0 ; b8֮s,w9\?uEyStKaª@\,)) (!EPEPEPEPEPzѧts{v>C/"N6`d*J2gGӧWqBq_1ZuΓ\X]r?=Ey88Mp&pKtO-"wR2 K^-Z< \c>V0^@O7x2WFjs<׻kZ(<Т(OFw/6$1[:ޯԯ#q~4|,LVPem=@=YLUxӃV}AUbcUB.Ds5*kٸAeG>PJxt͝ b88?*$~@ׯD VkraiJs}Q.20x&mXξ,Z]“A-J#`+-E/"<]\a'tZGy.(|lދ~gMK OZdxDŽU9T6ϯ^<Ϡt5CZ]].t۫S=s`ڳ%8iVK:nqe+#<.T6U>zWoy3^I {F?J~=G}k)K$$;$de8*G Uӟ4Ocºw}|]4=ݣ\x$ʠms?q^ipw\"ȿPs^Z Q_0GڼU.t}ROM[G#]8wٞ ӫ87}Cgw vHȩBM55vof =A_٭`Ygx[6 P,5}>蚊(0(+?>+?> k|TuXq6_ +szk :u_ Z߶Ak_U}Jc2u/1[_»ݸG41-bሬ۴}}Eȹפ_c?5gi @cL\L<68hF_Ih>X4K7UТ sMj =J7CKo>Օ5s:߀t ~ηaٿ?|gdL8+gG%o?x`دOqȱwc¨&TW_V_aI=dpG!wu۞սZ1yL50$(l3(:~'ַo A}a3N*[0ǭ HKQV}G@֜$ 9of$ArNqUOgË05#m?D)^_h//5_/<?4}Jį+GkpG4"$ r| >S4Ђ"S 1%R:ȝ 8;PKPz PK=AOEBPS/dcommon/feedback.gif7GIF89a'%(hp|fdx?AN5:dfeDGHɾTdQc`g*6DC\?ؘ||{;=E6JUՄfeA= >@,4`H.|`a (Q 9:&[|ځ,4p Y&BDb,!2@, $wPA'ܠǃ@CO~/d.`I @8ArHx9H75j L 3B/` P#qD*s 3A:3,H70P,R@ p!(F oԥ D;"0 ,6QBRɄHhI@@VDLCk8@NBBL2&pClA?DAk%$`I2 #Q+l7 "=&dL&PRSLIP)PɼirqМ'N8[_}w;PK-PK=AOEBPS/dcommon/booklist.gifGIF89a1޵֥΄kZ{Jk1Rs!BZ)B),@I9Z͓Ca % Dz8Ȁ0FZЌ0P !x8!eL8aWȠFD(~@p+rMS|ӛR$ v "Z:]ZJJEc{*=AP  BiA ']j4$*   & 9q sMiO?jQ = , YFg4.778c&$c%9;PKː5PK=AOEBPS/dcommon/cpyr.htm1 Oracle Legal Notices

Oracle Legal Notices

Copyright Notice

Copyright © 1994-2012, Oracle and/or its affiliates. All rights reserved.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

License Restrictions Warranty/Consequential Damages Disclaimer

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Warranty Disclaimer

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

Restricted Rights Notice

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

Hazardous Applications Notice

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Third-Party Content, Products, and Services Disclaimer

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Alpha and Beta Draft Documentation Notice

If this document is in prerelease status:

This documentation is in prerelease status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

Oracle Logo

PKN61PK=AOEBPS/dcommon/masterix.gif.GIF89a1ޜΌscJk1Rs!Bc1J),@IS@0"1 Ѿb$b08PbL,acr B@(fDn Jx11+\%1 p { display: none; } /* Class Selectors */ .ProductTitle { font-family: sans-serif; } .BookTitle { font-family: sans-serif; } .VersionNumber { font-family: sans-serif; } .PrintDate { font-family: sans-serif; font-size: small; } .PartNumber { font-family: sans-serif; font-size: small; } PKeӺ1,PK=AOEBPS/dcommon/larrow.gif#GIF87a絵ƌֵƽ{{ss֜ƔZZ{{{{ZZssZZccJJJJRRBBJJJJ991111))!!{,@pH,Ȥrl:ШtpHc`  өb[.64ꑈ53=Z]'yuLG*)g^!8C?-6(29K"Ĩ0Яl;U+K9^u2,@@ (\Ȱ Ë $P`lj 8x I$4H *(@͉0dа8tA  DсSP v"TUH PhP"Y1bxDǕ̧_=$I /& .)+ 60D)bB~=0#'& *D+l1MG CL1&+D`.1qVG ( "D2QL,p.;u. |r$p+5qBNl<TzB"\9e0u )@D,¹ 2@C~KU 'L6a9 /;<`P!D#Tal6XTYhn[p]݅ 7}B a&AƮe{EɲƮiEp#G}D#xTIzGFǂEc^q}) Y# (tۮNeGL*@/%UB:&k0{ &SdDnBQ^("@q #` @1B4i@ aNȅ@[\B >e007V[N(vpyFe Gb/&|aHZj@""~ӎ)t ? $ EQ.սJ$C,l]A `8A o B C?8cyA @Nz|`:`~7-G|yQ AqA6OzPbZ`>~#8=./edGA2nrBYR@ W h'j4p'!k 00 MT RNF6̙ m` (7%ꑀ;PKl-OJPK=AOEBPS/dcommon/index.gifGIF89a1޵ΥΥ{sc{BZs,@IM" AD B0 3.R~[D"0, ]ШpRNC  /& H&[%7TM/`vS+-+ q D go@" 4o'Uxcxcc&k/ qp zUm(UHDDJBGMԃ;PK(PK=AOEBPS/dcommon/bookbig.gif +GIF89a$!!!)))111999BBBJJJRRRZZZccckkksss{{{skkB991)))!!B11))1!JB9B9!!cZ9ƭƽssk{ZZRccZRRJJJBBB9c!!ν)1)k{s絽ƌkssֽZccJRRBJJ{9BB)11)99!!))11!!k!JZ!)RcJccBcs)1c)JZ!BR!)BZ)99J!Rk9!c11B)Z{)9Bkc1kB9BZ!Z{9Rs)Jkksk9kB1s1Jk9Rƥc{k9s)Z{1k91)s1Rk)Jc1J!))BZ!1k{csc{)19B!)Bcsc{ksc{kZs!RkJkJkքc{9Zks{ck9R)Bks9R9R1J!)Z1B!)c)9)99BR19kksBBJcc{ccBBZ))9kk!!199c11ZBB{9!!R!!Z!!c))!!kR!!s!!BcksRZ1c9B)R91c1)Z!R9B9k1)RcZ{)!1B9JB9B)!)J9B!& Imported from GIF image: bookbig.gif,$!!!)))111999BBBJJJRRRZZZccckkksss{{{skkB991)))!!B11))1!JB9B9!!cZ9ƭƽssk{ZZRccZRRJJJBBB9c!!ν)1)k{s絽ƌkssֽZccJRRBJJ{9BB)11)99!!))11!!k!JZ!)RcJccBcs)1c)JZ!BR!)BZ)99J!Rk9!c11B)Z{)9Bkc1kB9BZ!Z{9Rs)Jkksk9kB1s1Jk9Rƥc{k9s)Z{1k91)s1Rk)Jc1J!))BZ!1k{csc{)19B!)Bcsc{ksc{kZs!RkJkJkքc{9Zks{ck9R)Bks9R9R1J!)Z1B!)c)9)99BR19kksBBJcc{ccBBZ))9kk!!199c11ZBB{9!!R!!Z!!c))!!kR!!s!!BcksRZ1c9B)R91c1)Z!R9B9k1)RcZ{)!1B9JB9B)!)J9BH`\Ȑ:pظа"A6DBH,V@Dڹ'G"v Æ ܥ;n;!;>xAܽ[G.\rQC wr}BŊQ A9ᾑ#5Y0VȒj0l-GqF>ZpM rb ;=.ސW-WѻWo ha!}~ْ ; t 53 :\ 4PcD,0 4*_l0K3-`l.j!c Aa|2L4/1C`@@md;(H*80L0L(h*҇҆o#N84pC (xO@ A)J6rVlF r  fry†$r_pl5xhA+@A=F rGU a 1х4s&H Bdzt x#H%Rr (Ѐ7P`#Rщ'x" #0`@~i `HA'Tk?3!$`-A@1l"P LhʖRG&8A`0DcBH sq@AXB4@&yQhPAppxCQ(rBW00@DP1E?@lP1%T` 0 WB~nQ@;PKGC PK=AOEBPS/dcommon/rarrow.gif/GIF87a絵ƌֵƽ{{ss֜ƔZZ{{{{ZZssZZccJJJJRRBBJJJJ991111))!!{,@pH,Ȥrl:ШLlԸ NCqWEd)#34vwwpN|0yhX!'+-[F 'n5 H $/14w3% C .90" qF 7&E "D mnB|,c96) I @0BW{ᢦdN p!5"D`0 T 0-]ʜ$;PKJV^PK=AOEBPS/dcommon/mix.gifkGIF89aZZZBBBJJJkkk999sss!!!111cccֽ{{{RRR)))猌ƭ{s{sks!,@@pH,B$ 8 t:<8 *'ntPP DQ@rIBJLNPTVEMOQUWfj^!  hhG H  kCúk_a Ǥ^ h`B BeH mm  #F` I lpǎ,p B J\Y!T\(dǏ!Gdˆ R53ټ R;iʲ)G=@-xn.4Y BuU(*BL0PX v`[D! | >!/;xP` (Jj"M6 ;PK枰pkPK=AOEBPS/dcommon/doccd_epub.jsM /* Copyright 2006, 2012, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2012.3.17 */ function addLoadEvent(func) { var oldOnload = window.onload; if (typeof(window.onload) != "function") window.onload = func; else window.onload = function() { oldOnload(); func(); } } function compactLists() { var lists = []; var ul = document.getElementsByTagName("ul"); for (var i = 0; i < ul.length; i++) lists.push(ul[i]); var ol = document.getElementsByTagName("ol"); for (var i = 0; i < ol.length; i++) lists.push(ol[i]); for (var i = 0; i < lists.length; i++) { var collapsible = true, c = []; var li = lists[i].getElementsByTagName("li"); for (var j = 0; j < li.length; j++) { var p = li[j].getElementsByTagName("p"); if (p.length > 1) collapsible = false; for (var k = 0; k < p.length; k++) { if ( getTextContent(p[k]).split(" ").length > 12 ) collapsible = false; c.push(p[k]); } } if (collapsible) { for (var j = 0; j < c.length; j++) { c[j].style.margin = "0"; } } } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(compactLists); function processIndex() { try { if (!/\/index.htm(?:|#.*)$/.test(window.location.href)) return false; } catch(e) {} var shortcut = []; lastPrefix = ""; var dd = document.getElementsByTagName("dd"); for (var i = 0; i < dd.length; i++) { if (dd[i].className != 'l1ix') continue; var prefix = getTextContent(dd[i]).substring(0, 2).toUpperCase(); if (!prefix.match(/^([A-Z0-9]{2})/)) continue; if (prefix == lastPrefix) continue; dd[i].id = prefix; var s = document.createElement("a"); s.href = "#" + prefix; s.appendChild(document.createTextNode(prefix)); shortcut.push(s); lastPrefix = prefix; } var h2 = document.getElementsByTagName("h2"); for (var i = 0; i < h2.length; i++) { var nav = document.createElement("div"); nav.style.position = "relative"; nav.style.top = "-1.5ex"; nav.style.left = "1.5em"; nav.style.width = "90%"; while (shortcut[0] && shortcut[0].toString().charAt(shortcut[0].toString().length - 2) == getTextContent(h2[i])) { nav.appendChild(shortcut.shift()); nav.appendChild(document.createTextNode("\u00A0 ")); } h2[i].parentNode.insertBefore(nav, h2[i].nextSibling); } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(processIndex); PKo"nR M PK=AOEBPS/dcommon/toc.gifGIF89a1ΥΥ{c{Z{JkJk1Rk,@IK% 0| eJB,K-1i']Bt9dz0&pZ1o'q(؟dQ=3S SZC8db f&3v2@VPsuk2Gsiw`"IzE%< C !.hC IQ 3o?39T ҍ;PKv I PK=AOEBPS/dcommon/topnav.gifGIF89a1ֽ筽ޭƔkZZk{Bc{,@ ) l)-'KR$&84 SI) XF P8te NRtHPp;Q%Q@'#rR4P fSQ o0MX[) v + `i9gda/&L9i*1$#"%+ ( E' n7Ȇ(,҅(L@(Q$\x 8=6 'נ9tJ&"[Epljt p#ѣHb :f F`A =l|;&9lDP2ncH R `qtp!dȐYH›+?$4mBA9 i@@ ]@ꃤFxAD*^Ŵ#,(ε  $H}F.xf,BD Z;PK1FAPK=AOEBPS/dcommon/bp_layout.css# @charset "utf-8"; /* bp_layout.css Copyright 2007, Oracle and/or its affiliates. All rights reserved. */ body { margin: 0ex; padding: 0ex; } h1 { display: none; } #FOOTER { border-top: #0d4988 solid 10px; background-color: inherit; color: #e4edf3; clear: both; } #FOOTER p { font-size: 80%; margin-top: 0em; margin-left: 1em; } #FOOTER a { background-color: inherit; color: gray; } #LEFTCOLUMN { float: left; width: 50%; } #RIGHTCOLUMN { float: right; width: 50%; clear: right; /* IE hack */ } #LEFTCOLUMN div.portlet { margin-left: 2ex; margin-right: 1ex; } #RIGHTCOLUMN div.portlet { margin-left: 1ex; margin-right: 2ex; } div.portlet { margin: 2ex 1ex; padding-left: 0.5em; padding-right: 0.5em; border: 1px #bcc solid; background-color: #f6f6ff; color: black; } div.portlet h2 { margin-top: 0.5ex; margin-bottom: 0ex; font-size: 110%; } div.portlet p { margin-top: 0ex; } div.portlet ul { list-style-type: none; padding-left: 0em; margin-left: 0em; /* IE Hack */ } div.portlet li { text-align: right; } div.portlet li cite { font-style: normal; float: left; } div.portlet li a { margin: 0px 0.2ex; padding: 0px 0.2ex; font-size: 95%; } #NAME { margin: 0em; padding: 0em; position: relative; top: 0.6ex; left: 10px; width: 80%; } #PRODUCT { font-size: 180%; } #LIBRARY { color: #0b3d73; background: inherit; font-size: 180%; font-family: serif; } #RELEASE { position: absolute; top: 28px; font-size: 80%; font-weight: bold; } #TOOLS { list-style-type: none; position: absolute; top: 1ex; right: 2em; margin: 0em; padding: 0em; background: inherit; color: black; } #TOOLS a { background: inherit; color: black; } #NAV { float: left; width: 96%; margin: 3ex 0em 0ex 0em; padding: 2ex 0em 0ex 4%; /* Avoiding horizontal scroll bars. */ list-style-type: none; background: transparent url(../gifs/nav_bg.gif) repeat-x bottom; } #NAV li { float: left; margin: 0ex 0.1em 0ex 0em; padding: 0ex 0em 0ex 0em; } #NAV li a { display: block; margin: 0em; padding: 3px 0.7em; border-top: 1px solid gray; border-right: 1px solid gray; border-bottom: none; border-left: 1px solid gray; background-color: #a6b3c8; color: #333; } #SUBNAV { float: right; width: 96%; margin: 0ex 0em 0ex 0em; padding: 0.1ex 4% 0.2ex 0em; /* Avoiding horizontal scroll bars. */ list-style-type: none; background-color: #0d4988; color: #e4edf3; } #SUBNAV li { float: right; } #SUBNAV li a { display: block; margin: 0em; padding: 0ex 0.5em; background-color: inherit; color: #e4edf3; } #SIMPLESEARCH { position: absolute; top: 5ex; right: 1em; } #CONTENT { clear: both; } #NAV a:hover, #PORTAL_1 #OVERVIEW a, #PORTAL_2 #OVERVIEW a, #PORTAL_3 #OVERVIEW a, #PORTAL_4 #ADMINISTRATION a, #PORTAL_5 #DEVELOPMENT a, #PORTAL_6 #DEVELOPMENT a, #PORTAL_7 #DEVELOPMENT a, #PORTAL_11 #INSTALLATION a, #PORTAL_15 #ADMINISTRATION a, #PORTAL_16 #ADMINISTRATION a { background-color: #0d4988; color: #e4edf3; padding-bottom: 4px; border-color: gray; } #SUBNAV a:hover, #PORTAL_2 #SEARCH a, #PORTAL_3 #BOOKS a, #PORTAL_6 #WAREHOUSING a, #PORTAL_7 #UNSTRUCTURED a, #PORTAL_15 #INTEGRATION a, #PORTAL_16 #GRID a { position: relative; top: 2px; background-color: white; color: #0a4e89; } PK3( # PK=AOEBPS/dcommon/bookicon.gif:GIF87a!!!)))111999BBBJJJRRRZZZccckkksss{{{ޭ{{ZRRcZZRJJJBB)!!skRB9{sν{skskcZRJ1)!֭ƽ{ZZRccZJJBBB999111)JJ9BB1ZZB!!ﭵBJJ9BB!!))Jk{)1!)BRZJ{BsR!RRJsJ!J{s!JsBkks{RsB{J{c1RBs1ZB{9BJ9JZ!1BJRRs!9R!!9Z9!1)J19JJRk19R1Z)!1B9R1RB!)J!J1R)J119!9J91!9BkksBBJ119BBR!))9!!!JB1JJ!)19BJRZckތ1)1J9B,H*\hp >"p`ƒFF "a"E|ժOC&xCRz OBtX>XE*O>tdqAJ +,WxP!CYpQ HQzDHP)T njJM2ꔀJ2T0d#+I:<жk 'ꤱF AB @@nh Wz' H|-7f\A#yNR5 /PM09u UjćT|q~Yq@&0YZAPa`EzI /$AD Al!AAal 2H@$ PVAB&c*ؠ p @% p-`@b`uBa l&`3Ap8槖X~ vX$Eh`.JhAepA\"Bl, :Hk;PKx[?:PK=AOEBPS/dcommon/conticon.gif^GIF87a!!!)))111999BBBJJJRRRZZZccckkksss{{{ZRR޽{{ssskkkcccZ991ccRZZBBJJZck)19ZcsBJZ19J!k{k)Z1RZs1!B)!J91{k{)J!B!B911)k{cs!1s!9)s!9!B!k)k1c!)Z!R{9BJcckZZcBBJ99B119{{!!)BBRBBZ!))999R99Z!!999c1!9!)19B1)!B9R,  oua\h2SYPa aowwxYi 9SwyyxxyYSd $'^qYȵYvh ч,/?g{н.J5fe{ڶyY#%/}‚e,Z|pAܠ `KYx,ĉ&@iX9|`p ]lR1khٜ'E 6ÅB0J;t X b RP(*MÄ!2cLhPC <0Ⴁ  $4!B 6lHC%<1e H 4p" L`P!/,m*1F`#D0D^!AO@..(``_؅QWK>_*OY0J@pw'tVh;PKp*c^PK=AOEBPS/dcommon/blafdoc.cssL@charset "utf-8"; /* Copyright 2002, 2011, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2011.10.7 */ body { font-family: Tahoma, sans-serif; /* line-height: 125%; */ color: black; background-color: white; font-size: small; } * html body { /* http://www.info.com.ph/~etan/w3pantheon/style/modifiedsbmh.html */ font-size: x-small; /* for IE5.x/win */ f\ont-size: small; /* for other IE versions */ } h1 { font-size: 165%; font-weight: bold; border-bottom: 1px solid #ddd; width: 100%; } h2 { font-size: 152%; font-weight: bold; } h3 { font-size: 139%; font-weight: bold; } h4 { font-size: 126%; font-weight: bold; } h5 { font-size: 113%; font-weight: bold; display: inline; } h6 { font-size: 100%; font-weight: bold; font-style: italic; display: inline; } a:link { color: #039; background: inherit; } a:visited { color: #72007C; background: inherit; } a:hover { text-decoration: underline; } a img, img[usemap] { border-style: none; } code, pre, samp, tt { font-family: monospace; font-size: 110%; } caption { text-align: center; font-weight: bold; width: auto; } dt { font-weight: bold; } table { font-size: small; /* for ICEBrowser */ } td { vertical-align: top; } th { font-weight: bold; text-align: left; vertical-align: bottom; } ol ol { list-style-type: lower-alpha; } ol ol ol { list-style-type: lower-roman; } td p:first-child, td pre:first-child { margin-top: 0px; margin-bottom: 0px; } table.table-border { border-collapse: collapse; border-top: 1px solid #ccc; border-left: 1px solid #ccc; } table.table-border th { padding: 0.5ex 0.25em; color: black; background-color: #f7f7ea; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } table.table-border td { padding: 0.5ex 0.25em; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } span.gui-object, span.gui-object-action { font-weight: bold; } span.gui-object-title { } p.horizontal-rule { width: 100%; border: solid #cc9; border-width: 0px 0px 1px 0px; margin-bottom: 4ex; } div.zz-skip-header { display: none; } td.zz-nav-header-cell { text-align: left; font-size: 95%; width: 99%; color: black; background: inherit; font-weight: normal; vertical-align: top; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-header-link { font-size: 95%; } td.zz-nav-button-cell { white-space: nowrap; text-align: center; width: 1%; vertical-align: top; padding-left: 4px; padding-right: 4px; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-button-link { font-size: 90%; } div.zz-nav-footer-menu { width: 100%; text-align: center; margin-top: 2ex; margin-bottom: 4ex; } p.zz-legal-notice, a.zz-legal-notice-link { font-size: 85%; /* display: none; */ /* Uncomment to hide legal notice */ } /*************************************/ /* Begin DARB Formats */ /*************************************/ .bold, .codeinlinebold, .syntaxinlinebold, .term, .glossterm, .seghead, .glossaryterm, .keyword, .msg, .msgexplankw, .msgactionkw, .notep1, .xreftitlebold { font-weight: bold; } .italic, .codeinlineitalic, .syntaxinlineitalic, .variable, .xreftitleitalic { font-style: italic; } .bolditalic, .codeinlineboldital, .syntaxinlineboldital, .titleinfigure, .titleinexample, .titleintable, .titleinequation, .xreftitleboldital { font-weight: bold; font-style: italic; } .itemizedlisttitle, .orderedlisttitle, .segmentedlisttitle, .variablelisttitle { font-weight: bold; } .bridgehead, .titleinrefsubsect3 { font-weight: bold; } .titleinrefsubsect { font-size: 126%; font-weight: bold; } .titleinrefsubsect2 { font-size: 113%; font-weight: bold; } .subhead1 { display: block; font-size: 139%; font-weight: bold; } .subhead2 { display: block; font-weight: bold; } .subhead3 { font-weight: bold; } .underline { text-decoration: underline; } .superscript { vertical-align: super; } .subscript { vertical-align: sub; } .listofeft { border: none; } .betadraft, .alphabetanotice, .revenuerecognitionnotice { color: #e00; background: inherit; } .betadraftsubtitle { text-align: center; font-weight: bold; color: #e00; background: inherit; } .comment { color: #080; background: inherit; font-weight: bold; } .copyrightlogo { text-align: center; font-size: 85%; } .tocsubheader { list-style-type: none; } table.icons td { padding-left: 6px; padding-right: 6px; } .l1ix dd, dd dl.l2ix, dd dl.l3ix { margin-top: 0ex; margin-bottom: 0ex; } div.infoboxnote, div.infoboxnotewarn, div.infoboxnotealso { margin-top: 4ex; margin-right: 10%; margin-left: 10%; margin-bottom: 4ex; padding: 0.25em; border-top: 1pt solid gray; border-bottom: 1pt solid gray; } p.notep1 { margin-top: 0px; margin-bottom: 0px; } .tahiti-highlight-example { background: #ff9; text-decoration: inherit; } .tahiti-highlight-search { background: #9cf; text-decoration: inherit; } .tahiti-sidebar-heading { font-size: 110%; margin-bottom: 0px; padding-bottom: 0px; } /*************************************/ /* End DARB Formats */ /*************************************/ @media all { /* * * { line-height: 120%; } */ dd { margin-bottom: 2ex; } dl:first-child { margin-top: 2ex; } } @media print { body { font-size: 11pt; padding: 0px !important; } a:link, a:visited { color: black; background: inherit; } code, pre, samp, tt { font-size: 10pt; } #nav, #search_this_book, #comment_form, #comment_announcement, #flipNav, .noprint { display: none !important; } body#left-nav-present { overflow: visible !important; } } PKʍPK=AOEBPS/dcommon/rightnav.gif&GIF89a1ֽ筽ޭƔkZZk{Bc{,@ ) l)- $CҠҀ ! D1 #:aS( c4B0 AC8 ְ9!%MLj Z * ctypJBa H t>#Sb(clhUԂ̗4DztSԙ9ZQҀEPEPEPEPEPEPEPM=iԍP Gii c*yF 1׆@\&o!QY00_rlgV;)DGhCq7~..p&1c:u֫{fI>fJL$}BBP?JRWc<^j+χ5b[hֿ- 5_j?POkeQ^hֿ1L^ H ?Qi?z?+_xɔŪ\썽O]χ>)xxV/s)e6MI7*ߊޛv֗2J,;~E4yi3[nI`Ѱe9@zXF*W +]7QJ$$=&`a۾?]N T䏟'X)Ɣkf:j |>NBWzYx0t!* _KkoTZ?K Gc+UyڹgNuh^iSo5{\ܹ3Yos}.>if FqR5\/TӮ#]HS0DKu{($"2xִ{SBJ8=}Y=.|Tsц2UЫ%.InaegKo z ݎ3ֹxxwM&2S%';+I',kW&-"_¿_ Vq^ܫ6pfT2RV A^6RKetto^[{w\jPZ@ޢN4/XN#\42j\(z'j =~-I#:q[Eh|X:sp* bifp$TspZ-}NM*B-bb&*xUr#*$M|QWY ~p~- fTED6O.#$m+t$˙H"Gk=t9r娮Y? CzE[/*-{c*[w~o_?%ƔxZ:/5𨴟q}/]22p qD\H"K]ZMKR&\C3zĽ[PJm]AS)Ia^km M@dК)fT[ijW*hnu Ͳiw/bkExG£@f?Zu.s0(<`0ֹoxOaDx\zT-^ѧʧ_1+CP/p[w 9~U^[U<[tĽwPv[yzD1W='u$Oeak[^ |Gk2xv#2?¹TkSݕ| rݞ[Vi _Kz*{\c(Ck_܏|?u jVڔ6f t?3nmZ6f%QAjJf9Rq _j7Z-y.pG$Xb]0')[_k;$̭?&"0FOew7 z-cIX岛;$u=\an$ zmrILu uٞ% _1xcUW%dtÀx885Y^gn;}ӭ)場QEQ@Q@Q@Q@Q@Q@!4xPm3w*]b`F_931˜[ן+(> E ly;<;MF-qst+}DH @YKlLmؤciN<|]IU)Lw(8t9FS(=>og<\Z~u_+X1ylsj'eՃ*U3`C!N9Q_WܱhKc93^ua>H ƕGk=8~e#_?{ǀe-[2ٔ7;=&K挑5zsLdx(e8#{1wS+ΝVkXq9>&yஏh$zq^0~/j@:/«Vnce$$uoPp}MC{$-akH@ɫ1O !8R9s5ԦYmϧ'OUṡ5T,!Ԛ+s#1Veo=[)g>#< s)ƽُA^䠮ωFUj(ǩ|N3Jڷ睁ϱuږZYGOTsI<&drav?A^_f׻B$,O__ԿC`it{6>G׈C~&$y؎v1q9Sc1fH[ѽ>,gG'0'@Vw,BO [#>ﱺg5ΒFVD%Yr:O5 Tu+O멃]ی38Ze}R&ѝ_xzc1DXgس;<,_,{ƽY'AS#oF.M#~cBuEx7G+Y)(5q+GCV;qF+CLQ)qEC&6z𿊘z}?&w=+)??&\g{;V??׻xGœdٿ׼-Nc')3K]N)iLTӿCdb7Q^a N sd>Fz[0S^s'Zi 77D}kWus ab~~H(>.fif9,~|Jk;YN3H8Y(t6Q݉k͇_÷Z+2߄&[ +Tr^藺97~c܎=[f1RrBǓ^kEMhxYVm<[џ6| kqbѱ| YA{G8p?\UM7Z66 g1U1igU69 u5Pƪ:VVZC=[@ҹ¨$kSmɳО\vFz~i3^a Osŧυ9Q}_3 όO{/wgoet39 vO2ea;Ύ7$U#?k+Ek&dpzbӱ+TaB0gN{[N7Gי}U7&@?>Fz~E!a@s ?'67XxO*!?qi]֏TQN@tI+\^s8l0)2k!!iW8F$(yOּT.k,/#1:}8uT˾+5=O/`IW G֯b.-<= HOm;~so~hW5+kS8s.zwE| ?4ӿw/K N 9?j(#0UT` Wzw}:_*9m>󑓀F?ELzv=8q:=WgJ`nDr Zе<ֹ](Q@Q@Q@Q@Q@Q@Q@Q@ 'IdC0EYJVcMty_~u+Sw-aO n<[YJgL#6i g5ЖDZ14cʝ!!\/M}/_AYR__>oC? _?7_G#RERW쏞KB}JxGSkǕA pƱơP m]hwB7U$Zq M95"3q1ioATߚ{g.t uu2k=;h#YB= fgS :TdLԃ!44mFK{Hrd^7oz|BVr<{)6AXգV»|>*/hS܏z͆OM=Εq (s|s׊LKQI :9NJ)P+!ʣoAF>+=@I}"x/}۠1aנc¹4emC:>p_xWKX` >R3_S½èųp3޺u3N e یbmͺ<_ mnݮ1Op?Gm)Qb%N585'%Ahs\6yw!"&Ɨ._wk)}GP;Z!#\"< *oƾ\)}N>"լ/~]Lg}pBG X?<zZ#x69S=6) jzx=y9O&>+e!!? ?s~k5Gʏ)?*ce7Ox~k5􇔾Q/e7/Ԑ#3OgNC0] ;_FiRl>Q.g>!%k#ú:Kn'&}?U@\pџPtp)v<{_i}Oվֲ3XIYIx~b<D?(=_JXH=bbi=Oh?_ C_O)}oW쏜? %Ƶ;-RYFi`wۭ{ϖZMtQ$"c_+ԃx1*0b;ԕ݋ESQEQEQEQEQEQEQEQEQEQZ(1F)h1K@XLRE&9P (bf{RӨ&)PEPEPbԴPGKZ(iإbn(:A%S0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((PKje88PK=AOEBPS/dcommon/help.gif!GIF89a1εֵ֜֜{kZsBc{,@ )sƠTQ$8(4ʔ%ŌCK$A HP`$h8ŒSd+ɡ\ H@%' 6M HO3SJM /:Zi[7 \( R9r ERI%  N=aq   qƦs *q-n/Sqj D XZ;PKއ{&!PK=A OEBPS/toc.htm> Table of Contents

Contents

List of Tables

Title and Copyright Information

Preface

1 Introduction to Oracle Database Security

2 Securing the Database Installation and Configuration

3 Securing Oracle Database User Accounts

4 Managing User Privileges

5 Securing the Network

6 Securing Data

7 Auditing Database Activity

Index

PKKd7>>PK=A OEBPS/lot.htm C List of Tables

List of Tables

PKW. PK=AOEBPS/tdpsg_network_secure.htmv' Securing the Network

5 Securing the Network

This chapter contains:

About Securing the Network

You can configure the client connection to your Oracle Database installation by following the procedures in "Configuring the Network Environment" in Oracle Database 2 Day DBA and the Oracle Database Installation Guide for your platform. This chapter explains how you can encrypt data as it travels through the network, and also provides guidelines that you can follow to secure the network connections for Oracle Database.

Securing the Client Connection on the Network

This section describes how you can tightens security for the client connection to ensure thorough protection. Encrypting network traffic is essential for securing communications with the database.

These guidelines are as follows:

Guidelines for Securing Client Connections

Because authenticating client computers is problematic, typically, user authentication is performed instead. This approach avoids client system issues that include falsified IP addresses, compromised operating systems or applications, and falsified or stolen client system identities. Nevertheless, the following guidelines improve the security of client connections:

  1. Enforce access controls effectively and authenticate clients stringently.

    By default, Oracle allows operating system-authenticated logins only over secure connections, which precludes using Oracle Net and a shared server configuration. This default restriction prevents a remote user from impersonating another operating system user over a network connection.

    Setting the initialization parameter REMOTE_OS_AUTHENT to TRUE forces the database to accept the client, operating-system user name received over a nonsecure connection and use it for account access. (To modify an initialization parameter, see "Modifying the Value of an Initialization Parameter".) Because clients, such as PCs, are not trusted to perform operating system authentication properly, it is poor security practice to use this feature.

    The default setting, REMOTE_OS_AUTHENT = FALSE, creates a more secure configuration that enforces proper, server-based authentication of users connecting to an Oracle database.

    Setting this parameter to FALSE does not mean that users cannot connect remotely. It means that the database will not trust that the client has already authenticated, and will apply its standard authentication processes.

  2. Configure the connection to use encryption.

    Oracle network encryption makes eavesdropping difficult. To learn how to configure encryption, see Oracle Database Advanced Security Administrator's Guide.

  3. Set up strong authentication.

    See Oracle Database Advanced Security Administrator's Guide for more information about using Kerberos and public key infrastructure (PKI).

Guidelines for Securing the Network Connection

Protecting the network and its traffic from inappropriate access or modification is the essence of network security. You should consider all paths the data travels, and assess the threats on each path and node. Then, take steps to lessen or eliminate those threats and the consequences of a security breach. In addition, monitor and audit to detect either increased threat levels or penetration attempts.

To manage network connections, you can use Oracle Net Manager. For an introduction to using Oracle Net Manager, see Oracle Database 2 Day DBA. See also Oracle Database Net Services Administrator's Guide.

The following practices improve network security:

  1. Monitor listener activity.

    You can monitor listener activity by using Oracle Enterprise Manager Database Control. In the Database Control home page, under General, click the link for your listener. The Listener page appears. This page provides detailed information, such as the category of alert generated, alert messages, when the alert was triggered, and so on. This page provides other information, such as performance statistics for the listener.

  2. Prevent online administration by requiring the administrator to have the write privilege on the listener password and on the listener.ora file on the server:

    1. Add or modify this line in the listener.ora file:

      ADMIN_RESTRICTIONS_LISTENER=ON

    2. Use RELOAD to reload the configuration.

    3. Use SSL when administering the listener by making the TCPS protocol the first entry in the address list, as follows:

      LISTENER=
  (DESCRIPTION=
    (ADDRESS_LIST=
      (ADDRESS=
        (PROTOCOL=tcps)
        (HOST = shobeen.us.example.com)
        (PORT = 8281)))

      To administer the listener remotely, define the listener in the listener.ora file on the client computer. For example, to access listener USER281 remotely, use the following configuration:

      user281 =
  (DESCRIPTION =
    (ADDRESS =
      (PROTOCOL = tcps)
      (HOST = shobeen.us.example.com)
      (PORT = 8281))
    )
  )

    For more information about the parameters in listener.ora, see Oracle Database Net Services Reference.

  3. Do not set the listener password.

    Ensure that the password has not been set in the listener.ora file. The local operating system authentication will secure the listener administration. The remote listener administration is disabled when the password has not been set. This prevents brute force attacks of the listener password.

    Remember that the listener password has been deprecated in this release, and will not be supported in the next release of Oracle Database.

  4. When a host has multiple IP addresses associated with multiple NIC cards, configure the listener to the specific IP address.

    This enables the listener to monitor all the IP addresses. You can restrict the listener to monitor a specific IP address. Oracle recommends that you specify the specific IP addresses on these types of computers, rather than enabling the listener to monitor all IP addresses. Restricting the listener to specific IP addresses helps to prevent an intruder from stealing a TCP end point from the listener process.

  5. Restrict the privileges of the listener, so that it cannot read or write files in the database or the Oracle server address space.

    This restriction prevents external procedure agents spawned by the listener (or procedures executed by an agent) from inheriting the ability to perform read or write operations. The owner of this separate listener process should not be the owner that installed Oracle Database or executes the Oracle Database instance (such as ORACLE, the default owner).

    For more information about configuring external procedures in the listener, see Oracle Database Net Services Administrator's Guide.

  6. Use encryption to secure the data in flight.

    See "Protecting Data on the Network by Using Network Encryption" to learn about how to protect Oracle data over the network. Oracle Database Advanced Security Administrator's Guide describes network encryption in detail.

  7. Use a firewall.

    Appropriately placed and configured firewalls can prevent outside access to your databases.

    • Keep the database server behind a firewall. Oracle Database network infrastructure, Oracle Net (formerly known as Net8 and SQL*Net), provides support for a variety of firewalls from various vendors. Supported proxy-enabled firewalls include Gauntlet from Network Associates and Raptor from Axent. Supported packet-filtering firewalls include PIX Firewall from Cisco, and supported stateful inspection firewalls (more sophisticated packet-filtered firewalls) include Firewall-1 from CheckPoint.

    • Ensure that the firewall is placed outside the network to be protected.

    • Configure the firewall to accept only those protocols, applications, or client/server sources that you know are safe.

    • Use a product such as Oracle Connection Manager to multiplex multiple-client, network sessions through a single network connection to the database. It can filter using the source, destination, and host name. This product enables you to ensure that connections are accepted only from physically secure terminals or from application Web servers with known IP addresses. (Filtering using the IP address alone is not enough for authentication, because it can be falsified.)

  8. Prevent unauthorized administration of the Oracle listener.

    For more information about the listener, see Oracle Database Net Services Administrator's Guide.

  9. Check network IP addresses.

    Use the Oracle Net valid node checking security feature to allow or deny access to Oracle server processes from network clients with specified IP addresses. To use this feature, set the following sqlnet.ora configuration file parameters:

    tcp.validnode_checking = YES

tcp.excluded_nodes = {list of IP addresses}

tcp.invited_nodes = {list of IP addresses}

    The tcp.validnode_checking parameter enables the feature. The tcp.excluded_nodes and tcp.invited_nodes parameters deny and enable specific client IP addresses from making connections to the Oracle listener. This helps to prevent potential Denial of Service attacks.

    You can use Oracle Net Manager to configure these parameters. See Oracle Database Net Services Administrator's Guide for more information.

  10. Encrypt network traffic.

    If possible, use Oracle Advanced Security to encrypt network traffic among clients, databases, and application servers. For an introduction to Oracle network encryption, see "Protecting Data on the Network by Using Network Encryption". For detailed information about network encryption, see Oracle Database Advanced Security Administrator's Guide.

  11. Secure the host operating system (the system on which Oracle Database resides).

    Secure the host operating system by disabling all unnecessary operating system services. Both UNIX and Windows platforms provide a variety of operating system services, most of which are not necessary for typical deployments. These services include FTP, TFTP, TELNET, and so forth. Be sure to close both the UDP and TCP ports for each service that is being disabled. Disabling one type of port and not the other does not make the operating system more secure.

Protecting Data on the Network by Using Network Encryption

In addition to protecting information by encrypting it at the database level, you must protect it as it travels across the network.

This section contains:


See Also:

Oracle Database Advanced Security Administrator's Guide for detailed information about network encryption

About Network Encryption

Network encryption refers to encrypting data as it travels across the network between the client and server. The reason you should encrypt data at the network level, and not just the database level, is because data can be exposed on the network level. For example, an intruder can use a network packet sniffer to capture information as it travels on the network, and then spool it to a file for malicious use. Encrypting data on the network prevents this sort of activity.

To encrypt data on the network, you need the following components:

  • An encryption seed. The encryption seed is a random string of up to 256 characters. It generates the cryptographic keys that encrypts data as it travels across the network.

  • An encryption algorithm. You can specify any of the supported algorithm types: AES, RC4, DES, or 3DES.

  • Whether the settings apply to a client or server. You must configure the server and each client to which it connects.

  • How the client or server should processes the encrypted data. The settings you select (you have four options) must complement both server and client.

  • A mechanism for configuring the encryption. You can use Oracle Net Manager to configure the encryption. Alternatively, you can edit the sqlnet.ora configuration file. Both Oracle Net Manager and the sqlnet.ora file are available in a default Oracle Database installation.

Configuring Network Encryption

You can configure network encryption by using either Oracle Net Manager or by editing the sqlnet.ora file. This guide explains how to use Oracle Net Manager to configure network encryption.

To configure network encryption: 

  1. On the server computer, start Oracle Net Manager.

    • UNIX: From $ORACLE_HOME/bin, enter the following at the command line:

      netmgr

    • Windows: From the Start menu, click All Programs. Then, click Oracle - HOME_NAME, Configuration and Migration Tools, and then Net Manager

  2. From the Oracle Net Configuration navigation tree, expand Local, and then select Profile.

    Description of netmgr_profile.gif follows
    Description of the illustration netmgr_profile.gif

  3. From the list, select Oracle Advanced Security.

    Description of netmgr_adv_sec.gif follows
    Description of the illustration netmgr_adv_sec.gif

  4. Under Oracle Advanced Security, select the Encryption tab.

    The Encryption settings pane appears.

    Description of netmgr_encrypt.gif follows
    Description of the illustration netmgr_encrypt.gif

  5. Enter the following settings:

    • Encryption: From the list, select SERVER to configure the network encryption for the server. (For the client computer, you select CLIENT.)

    • Encryption Type: Select from the following values to specify the actions of the server (or client) when negotiating encryption and integrity:

      • accepted: Service will be active if the other side of the connection specifies either required or requested, and there is a compatible algorithm available on the receiving database; it will otherwise be inactive.

      • rejected: Service must not be active, and the connection will fail if the other side requires any of the methods in this list.

      • requested: Service will be active if the other side of the connection specifies either accepted, required, or requested, and there is a compatible algorithm available on the other side. Otherwise, the service is inactive.

      • required: Service must be active, and the connection will fail if the other side specifies rejected, or if there is no compatible algorithm on the other side.

    • Encryption Seed: Enter a random string of up to 256 characters. Oracle Database uses the encryption seed to generate cryptographic keys. This is required when either encryption or integrity is enabled.

      If you choose to use special characters such as a comma [,] or a right parenthesis [)] as a part of the Encryption Seed parameter, enclose the value within single quotation marks.

    • Available Methods: Select one or more of the following algorithms, and use the move button (>) to move them to the Selected Methods list. The order in which they appear in the Selected Methods list determines the preferred order for negotiation. That is, the first algorithm listed is selected first, and so on.

      • AES256: Advanced Encryption Standard (AES). AES was approved by the National Institute of Standards and Technology (NIST) to replace Data Encryption Standard (DES). AES256 enables you to encrypt a block size of 256 bits.

      • RC4_256: Rivest Cipher 4 (RC4), which is the most commonly used stream cipher that protects protocols such as Secure Sockets Layer (SSL). RC4_256 enables you to encrypt up to 256 bits of data.

      • AES192: Enables you to use AES to encrypt a block size of 192 bits.

      • 3DES168: Triple Data Encryption Standard (TDES) with a three-key option. 3DES168 enables you to encrypt up to 168 bits of data.

      • AES128: Enables you to use AES to encrypt a block size of 128 bits.

      • RC4_128: Enables you to use RC4 to encrypt up to 128 bits of data.

      • 3DES112: Enables you to use Triple DES with a two-key (112 bit) option.

      • DES: Data Encryption Standard (DES) 56-bit key. Note that National Institute of Standards and Technology (NIST) no longer recommends DES.

      • RC4_40: Enables you to use RC4 to encrypt up to 40 bits of data. (Not recommended.)

      • DES40: Enables you to use DES to encrypt up to 40 bits of data. (Not recommended.)

  6. From the File menu, select Save Network Configuration, and then select Exit to exit Oracle Net Manager.

  7. Repeat these steps for each client computer that connects to the server.


See Also:


Initialization Parameters Used for Network Security

Table 5-1 lists initialization parameters that you can set to better secure user accounts.

Table 5-1 Initialization Parameters Used for Network Security

Initialization ParameterDefault SettingDescription

OS_AUTHENT_PREFIX

OPS$

Specifies a prefix that Oracle Database uses to identify users attempting to connect to the database. Oracle Database concatenates the value of this parameter to the beginning of the user operating system account name and password. When a user attempts a connection request, Oracle Database compares the prefixed username with user names in the database.

REMOTE_LISTENER

No default setting

Specifies a network name that resolves to an address or address list of Oracle Net remote listeners (that is, listeners that are not running on the same computer as this instance). The address or address list is specified in the tnsnames.ora file or other address repository as configured for your system.

REMOTE_OS_AUTHENT

FALSE

Specifies whether remote clients will be authenticated with the value of the OS_AUTHENT_PREFIX parameter.

REMOTE_OS_ROLES

FALSE

Specifies whether operating system roles are allowed for remote clients. The default value, FALSE, causes Oracle Database to identify and manage roles for remote clients.


To modify an initialization parameter, see "Modifying the Value of an Initialization Parameter". For detailed information about initialization parameters, see Oracle Database Reference andOracle Database Administrator's Guide.

PKmvvPK=AOEBPS/tdpsg_privileges.htm Managing User Privileges

4 Managing User Privileges

This chapter contains:

About Privilege Management

You can control user privileges in the following ways:

  • Granting and revoking individual privileges. You can grant individual privileges, for example, the privilege to perform the UPDATE SQL statement, to individual users or to groups of users.

  • Creating a role and assigning privileges to it. A role is a named group of related privileges that you grant, as a group, to users or other roles.

  • Creating a secure application role. A secure application role enables you to define conditions that control when a database role can be enabled. For example, a secure application role can check the IP address associated with a user session before allowing the session to enable a database role.

Guideline for Granting Privileges

Because privileges are the rights to perform a specific action, such as updating or deleting a table, do not provide database users more privileges than are necessary. For an introduction to managing privileges, see "About User Privileges and Roles" in Oracle Database 2 Day DBA. Oracle Database 2 Day DBA also provides an example of how to grant a privilege.

In other words, the principle of least privilege is that users be given only those privileges that are actually required to efficiently perform their jobs. To implement this principle, restrict the following as much as possible:

  • The number of system and object privileges granted to database users

  • The number of people who are allowed to make SYS-privileged connections to the database

For example, generally the CREATE ANY TABLE privilege is not granted to a user who does not have database administrator privileges.

Guideline for Granting Roles to Users

A role is a named group of related privileges that you grant, as a group, to users or other roles. To learn the fundamentals of managing roles, see "Administering Roles" in Oracle Database 2 Day DBA. In addition, see "Example: Creating a Role" in Oracle Database 2 Day DBA.

Roles are useful for quickly and easily granting permissions to users. Although you can use Oracle Database-defined roles, you have more control and continuity if you create your own roles that contain only the privileges pertaining to your requirements. Oracle may change or remove the privileges in an Oracle Database-defined role, as it has with the CONNECT role, which now has only the CREATE SESSION privilege. Formerly, this role had eight other privileges.

Ensure that the roles you define contain only the privileges required for the responsibility of a particular job. If your application users do not need all the privileges encompassed by an existing role, then apply a different set of roles that supply just the correct privileges. Alternatively, create and assign a more restrictive role.

Do not grant powerful privileges, such as the CREATE DATABASE LINK privilege, to regular users such as user SCOTT. (Particularly do not grant any powerful privileges to SCOTT, because this is a well known default user account that may be vulnerable to intruders.) Instead, grant the privilege to a database role, and then grant this role to the users who must use the privilege. And remember to only grant the minimum privileges the user needs.

Guideline for Handling Privileges for the PUBLIC Role

You should revoke unnecessary privileges and roles from the PUBLIC role. The PUBLIC role is automatically assumed by every database user account. By default, it has no privileges assigned to it, but it does have grants to many Java objects. You cannot drop the PUBLIC role, and a manual grant or revoke of this role has no meaning, because the user account will always assume this role. Because all database user accounts assume the PUBLIC role, it does not appear in the DBA_ROLES and SESSION_ROLES data dictionary views.

Because all users have the PUBLIC role, any database user can exercise privileges that are granted to this role. These privileges include, potentially enabling someone with minimal privileges to access and execute functions that this user would not otherwise be permitted to access directly.

Controlling Access to Applications with Secure Application Roles

A secure application role is a role that can be enabled only by an authorized PL/SQL package. The PL/SQL package itself reflects the security policies necessary to control access to the application.

This section contains:

About Secure Application Roles

A secure application role is a role that can be enabled only by an authorized PL/SQL package. This package defines one or more security policies that control access to the application. Both the role and the package are typically created in the schema of the person who creates them, which is typically a security administrator. A security administrator is a database administrator who is responsible for maintaining the security of the database.

The advantage of using a secure application role is you can create additional layers of security for application access, in addition to the privileges that were granted to the role itself. Secure application roles strengthen security because passwords are not embedded in application source code or stored in a table. This way, the decisions the database makes are based on the implementation of your security policies. Because these definitions are stored in one place, the database, rather than in your applications, you modify this policy once instead of modifying the policy in each application. No matter how many users connect to the database, the result is always the same, because the policy is bound to the role.

A secure application role has the following components:

  • The secure application role itself. You create the role using the CREATE ROLE statement with the IDENTIFIED USING clause to associate it with the PL/SQL package. Then, you grant the role the privileges you typically grant a role.

  • A PL/SQL package, procedure, or function associated with the secure application role. The PL/SQL package sets a condition that either grants the role or denies the role to the person trying to log in to the database. You must create the PL/SQL package, procedure, or function using invoker's rights, not definer's rights. An invoker's right procedure executes with the privileges of the current user, that is, the user who invokes the procedure. This user must be granted the EXECUTE privilege for the underlying objects that the PL/SQL package accesses. The invoker's right procedures are not bound to a particular schema. They can be run by a variety of users and enable multiple users to manage their own data by using centralized application logic. To create the invoker's rights package, use the AUTHID CURRENT_USER clause in the declaration section of the procedure code.

    The PL/SQL package also must contain a SET ROLE statement or DBMS_SESSION.SET_ROLE call to enable (or disable) the role for the user.

    After you create the PL/SQL package, you must grant the appropriate users the EXECUTE privilege on the package.

  • A way to execute the PL/SQL package when the user logs on. To execute the PL/SQL package, you must call it directly from the application before the user tries to use the privileges the role grants. You cannot use a logon trigger to execute the PL/SQL package automatically when the user logs on.

When a user logs in to the application, the policies in the package perform the checks as needed. If the user passes the checks, then the role is granted, which enables access to the application. If the user fails the checks, then the user is prevented from accessing the application.

Tutorial: Creating a Secure Application Role

This tutorial shows how two employees, Matthew Weiss and Winston Taylor, try to gain information from the OE.ORDERS table. Access rights to this table are defined in the EMPLOYEE_ROLE secure application role. Matthew is Winston's manager, so Matthew, as opposed to Winston, will be able to access the information in OE.ORDERS.

In this tutorial:

Step 1: Create a Security Administrator Account

For greater security, you should apply separation of duty concepts when you assign responsibilities to the system administrators on your staff. For the tutorials used in this guide, you will create and use a security administrator account called sec_admin.

To create the sec_admin security administrator account:  

  1. Start Database Control.

    See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  2. Enter an administrator user name (for example, SYSTEM) and password, and then click Login.

    For the SYSTEM user, connect as Normal.

    The Database Home page appears.

  3. Click Server to display the Server subpage.

  4. Under Security, select Users.

    The Users page appears.

  5. Click Create.

    The Create User page appears.

  6. Enter the following information:

    • Name: sec_admin

    • Profile: Default

    • Authentication: Password

    • Enter Password and Confirm Password: Enter a password that meets the requirements in "Requirements for Creating Passwords".

    • Default Tablespace: SYSTEM

    • Temporary Tablespace: TEMP

    • Status: UNLOCKED

  7. Click Roles to display the Edit User: SEC_ADMIN page.

  8. Click Edit List.

    The Modify Roles page appears.

  9. In the Available Roles list, select the SELECT_CATALOG_ROLE role and then then click Move to move it to the Selected Roles list. Then click OK to return to the Edit User page.

  10. Click System Privileges to display the System Privileges subpage.

  11. Click Edit List.

    The Modify System Privileges page appears.

  12. In the Available System Privileges list, select the following privileges and then click Move to move each one to the Selected System Privileges list. (Hold down the Control key to select multiple privileges.)

    • CREATE PROCEDURE

    • CREATE ROLE

    • CREATE SESSION

    • SELECT ANY DICTIONARY

  13. Click OK.

    The Create User page appears.

  14. Under Admin Option, do not select the boxes.

  15. Click OK.

    The Users page appears. User sec_admin is listed in the UserName list.

Step 2: Create User Accounts for This Tutorial

Matthew and Winston both are sample employees in the HR.EMPLOYEES schema, which provides columns for the manager ID and email address of the employees, among other information. You must create user accounts for these two employees so that they can later test the secure application role.

To create the user accounts:  

  1. In the Users page, click Create.

    The Create User page appears.

  2. Enter the following information:

    • Name: mweiss (to create the user account for Matthew Weiss)

    • Profile: DEFAULT

    • Authentication: Password

    • Enter Password and Confirm Password: Enter a password that meets the requirements in "Requirements for Creating Passwords".

    • Default Tablespace: USERS

    • Temporary Tablespace: TEMP

    • Status: Unlocked

  3. Click System Privileges to display the System Privileges subpage.

  4. Click Edit List.

    The Modify System Privileges page appears.

  5. In the Available System Privileges lists, select the CREATE SESSION privilege, and then click Move to move it to the Selected System Privileges list.

  6. Click OK.

    The Create User page appears, with CREATE SESSION listed as the system privilege for user mweiss.

  7. Ensure that the Admin Option for CREATE SESSION is not selected, and then click OK.

    The Users page appears.

  8. Select the option for user MWEISS from the list of users, and then from the Actions list, select Create Like. Then, click Go.

  9. In the Create User page, enter the following information to create the user account for Winston, which will be almost identical to the user account for Matthew:

    You do not need to specify the default and temporary tablespaces, or the CREATE SESSION system privilege, for user wtaylor because they are already specified.

  10. Click OK.

    You do not need to grant wtaylor the CREATE SESSION privilege, because the Create Like action has done of this for you.

  11. Log out of Database Control.

Now both Matthew Weiss and Winston Taylor have user accounts that have identical privileges.

Step 3: Create the Secure Application Role

Now, you are ready to create the employee_role secure application role. To do so, you must log on as the security administrator sec_admin. "Step 1: Create a Security Administrator Account" explains how to create the sec_admin account.

To create the secure application role:  

  1. Start SQL*Plus and log on as the security administrator sec_admin.

    SQLPLUS sec_admin
Enter password: password

    SQL*Plus starts, connects to the default database, and then displays a prompt.

    SQL>

    For detailed information about starting SQL*Plus, see Oracle Database 2 Day DBA.

  2. Create the following secure application role:

    CREATE ROLE employee_role IDENTIFIED USING sec_roles;

    The IDENTIFIED USING clause sets the role to be enabled (or disabled) only within the associated PL/SQL package, in this case, sec_roles. At this stage, the sec_roles PL/SQL package does not need to exist.

  3. Connect as user OE.

    CONNECT OE
Enter password: password

    If you receive an error message saying that OE is locked, then you can unlock the OE account and reset its password by entering the following statements. For greater security, do not reuse the same password that was used in previous releases of Oracle Database. Enter any password that is secure, according to the password guidelines described in "Requirements for Creating Passwords".

    CONNECT SYS/AS SYSDBA
Enter password: sys_password

PASSWORD OE  -- First, change the OE account password.
Changing password for OE
New password: password
Retype new password: password
Password changed.

ALTER USER OE ACCOUNT UNLOCK; -- Next, unlock the OE account.

    Another way to unlock a user account and create a new password is to use the following syntax:

    ALTER USER account_name ACCOUNT UNLOCK IDENTIFIED BY new_password:

    Now you can connect as user OE.

    CONNECT OE 
Enter password: password

  4. Enter the following statement to grant the EMPLOYEE_ROLE role SELECT privileges on the OE.ORDERS table.

    GRANT SELECT ON OE.ORDERS TO employee_role;

    Do not grant the role directly to the user. The PL/SQL package will do that for you, assuming the user passes its security policies.

Step 4: Create a Lookup View

You are almost ready to create the procedure that determines who is granted the employee_role role. The procedure will grant the employee_role only to managers who report to Steven King, whose employee ID is 100. This information is located in the HR.EMPLOYEES table. However, you should not use that table in this procedure, because it contains sensitive data such as salary information, and for it to be used, everyone will need access to it. In most real world cases, you create a lookup view that contains only the information that you need. (You could create a lookup table, but a view will reflect the most recent data.) For this tutorial, you create your own lookup view that only contains the employee names, employee IDs, and their manager IDs.

To create the HR.HR_VERIFY lookup view: 

  1. In SQL*Plus, connect as user HR.

    CONNECT HR
Enter password: password

    If you receive an error message saying that HR is locked, then you can unlock the account and reset its password by entering the following statements. For greater security, do not reuse the same password that was used in previous releases of Oracle Database. Enter any password that is secure, according to the password guidelines described in "Requirements for Creating Passwords".

    CONNECT SYSTEM
Enter password: password

PASSWORD HR 
Changing password for HR
New password: password
Retype new password: password
Password changed.

ALTER USER HR ACCOUNT UNLOCK;

CONNECT HR
Enter password: password

  2. Enter the following CREATE VIEW SQL statement to create the lookup view:

    CREATE VIEW hr_verify AS 
SELECT EMPLOYEE_ID, FIRST_NAME, LAST_NAME, EMAIL, MANAGER_ID 
FROM EMPLOYEES;

  3. Grant the EXECUTE privilege for this view to mweiss, wtaylor, and sec_admin by entering the following SQL statements:

    GRANT SELECT ON hr.hr_verify TO mweiss;
GRANT SELECT ON hr.hr_verify TO wtaylor;
GRANT SELECT ON hr.hr_verify TO sec_admin;

Step 5: Create the PL/SQL Procedure to Set the Secure Application Role

Now, you are ready to create the secure application role procedure. In most cases, you create a package to hold the procedure, but because this is a simple tutorial that requires only one secure application role test (as defined in the procedure), you will create a procedure by itself. If you want to have a series of procedures to test for the role, create them in a package.

A PL/SQL package defines a simple, clear interface to a set of related procedures and types that can be accessed by SQL statements. Packages also make code more reusable and easier to maintain. The advantage here for secure application roles is that you can create a group of security policies that used together present a solid security strategy designed to protect your applications. For users (or potential intruders) who fail the security policies, you can add auditing checks to the package to record the failure.

To create the secure application role procedure:  

  1. In SQL*Plus, connect as user sec_admin.

    CONNECT sec_admin
Enter password: password

  2. Enter the following CREATE PROCEDURE statement to create the secure application role procedure. (You can copy and paste this text by positioning the cursor at the start of CREATE OR REPLACE in the first line.)


    		 
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

    CREATE OR REPLACE PROCEDURE sec_roles AUTHID CURRENT_USER
 AS
v_user varchar2(50); 
v_manager_id number :=1;
 BEGIN    
  v_user := lower((sys_context ('userenv','session_user')));
  SELECT manager_id 
     INTO v_manager_id FROM hr.hr_verify WHERE lower(email)=v_user;
   IF v_manager_id = 100
    THEN 
     EXECUTE IMMEDIATE 'SET ROLE employee_role';  
    ELSE NULL; 
   END IF;        
  EXCEPTION  
   WHEN NO_DATA_FOUND THEN v_manager_id:=0;  
   DBMS_OUTPUT.PUT_LINE(v_manager_id);
END;
/

    In this example:

    • Line 1: Appends the AUTHID CURRENT_USER clause to the CREATE PROCEDURE statement, which creates the procedure using invoker's rights. The AUTHID CURRENT_USER clause creates the package using invoker's rights, using the privileges of the current user.

      You must create the package using invoker's rights for the package to work. Invoker's rights allow the user to have EXECUTE privileges on all objects that the package accesses.

      Roles that are enabled inside an invoker's right procedure remain in effect even after the procedure exits, but after the user exits the session, he or she no longer has the privileges associated with the secure application role. In this case, you can have a dedicated procedure that enables the role for the rest of the session.

      Because users cannot change the security domain inside definer's rights procedures, secure application roles can only be enabled inside invoker's rights procedures.

      See "About Secure Application Roles" for information about the importance of creating the procedure using invoker's rights.

    • Line3: Declares the v_user variable, which will store the user session information.

    • Line 4: Declares the v_manager_id variable, which will store the manager's ID of the v_user user.

    • Line 6: Retrieves the user session information for the user logging on, in this case, Matthew or Winston. To retrieve user session information, use the SYS_CONTEXT SQL function with the USERENV namespace attributes ('userenv', session_attribute), and writes this information to the v_user variable.

      The information returned by this function indicates the way in which the user was authenticated, the IP address of the client, and whether the user connected through a proxy. See Orac?/le Database SQL Language Reference for more information about SYS_CONTEXT.

    • Lines 7–8: Get the manager's ID of the current user. The SELECT statement copies the manager ID into the v_manager_id variable, and then checking the HR.HR_VERIFY view for the manager ID of the current user. This example uses the employees' email addresses because they are the same as their user names.

    • Lines 9–13: Use an IF condition to test whether the user should be granted the sec_roles role. In this case, the test condition is whether the user reports to Matthew's manager, Steven King, whose employee number is 100. If the user reports to King, as Matthew does, then the secure application role is granted to the user. Otherwise, the role is not granted.

      The result is that the secure application role will grant Matthew Weiss the role because he is a direct report of Steven King, but will deny the role to Winston, because he is not a direct report of Steven King.

    • Lines 10–12: Within the IF condition, the THEN condition grants the role by executing immediately the SET ROLE statement. Otherwise, the ELSE condition denies the grant.

    • Lines 14–15: Use an EXCEPTION statement to set v_manager_id to 0 if no data is found.

    • Line 16: Copies the manager's ID, which is now 0, into a buffer so that it is readily available.


    Tip:

    If you have problems creating or running PL/SQL code, check the Oracle Database trace files. The USER_DUMP_DEST initialization parameter specifies the current location of the trace files. You can find the value of this parameter by issuing SHOW PARAMETER USER_DUMP_DEST in SQL*Plus. See Oracle Database Performance Tuning Guide for more information about trace files.

Step 6: Grant the EXECUTE Privilege for the Procedure to Matthew and Winston

At this stage, Matthew and Winston can try to access the OE.ORDERS table, but they are denied access. The next step is to grant them the EXECUTE privilege on the sec_roles procedure, so that the sec_roles procedure can execute, and then grant or deny access, when they try to select from the OE.ORDERS table.

To grant EXECUTE privileges for the sec_roles procedure:  

  • In SQL*Plus, as user sec_admin, enter the following GRANT SQL statements:

    GRANT EXECUTE ON sec_admin.sec_roles TO mweiss;
GRANT EXECUTE ON sec_admin.sec_roles TO wtaylor;

Step 7: Test the EMPLOYEE_ROLE Secure Application Role

You are ready to test the employee_role secure application role by logging on as Matthew and Winston and trying to access the OE.ORDERS table. When Matthew and Winston log on, and before they issue a SELECT statement on the OE.ORDERS table, the sec_roles procedure must be executed for the role verification to take place.

To test the employee_role secure application role, as user MWEISS:  

  1. Connect as user mweiss.

    CONNECT mweiss
Enter password: password

  2. Enter the following SQL statement to run the sec_roles procedure:

    EXEC sec_admin.sec_roles;

    This statement executes the sec_roles procedure for the current session. (In a real world scenario, this statement would be automatically run when the user logs in to the application.)

  3. Perform the following SELECT statement on the OE.ORDERS table:

    SELECT COUNT(*) FROM OE.ORDERS;

    Matthew has access to the OE.ORDERS table:

      COUNT(*)
----------
       105

Now, Winston will try to access the secure application.

To test the employee_role secure application role as user WTAYLOR: 

  1. In SQL*Plus, connect as user wtaylor.

    CONNECT wtaylor
Enter password: password

  2. Enter the following SQL statement to run the sec_roles procedure:

    EXEC sec_admin.sec_roles;

    This statement executes the sec_roles procedure for the current session.

  3. Perform the following SELECT statement on the OE.ORDERS table:

    SELECT COUNT(*) FROM OE.ORDERS;

    Because Winston does not report directly to Steven King, he does not have access to the OE.ORDERS table. He will never learn the true number of orders in the ORDERS table, at least not by performing a SELECT statement on it.

    ERROR at line 1:
ORA-00942: table or view does not exist

Step 8: Optionally, Remove the Components for This Tutorial

Remove the components that you created for this tutorial.

To remove the components: 

  1. In SQL*Plus, connect as user SYSTEM.

    CONNECT SYSTEM
Enter password: password

  2. Enter the following DROP statements:

    DROP USER mweiss;
DROP USER wtaylor;

    Do not drop user sec_admin. You will need this user for other tutorials in this guide.

  3. In SQL*Plus, connect as user sec_admin.

    CONNECT sec_admin
Enter password: password

  4. Enter the following DROP SQL statements:

    DROP ROLE employee_role;
DROP PROCEDURE sec_roles;

  5. Connect as user HR, and then drop the HR_VERIFY view.

    CONNECT HR
Enter password: password
DROP VIEW hr_verify;

  6. Exit SQL*Plus.

    EXIT

Initialization Parameters Used for Privilege Security

Table 4-1 lists initialization parameters that you can use to secure user privileges.

Table 4-1 Initialization Parameters Used for Privilege Security

Initialization ParameterDefault SettingDescription

O7_DICTIONARY_ACCESSIBILITY

FALSE

Controls restrictions on SYSTEM privileges. See "Enabling Data Dictionary Protection" for more information about this parameter.

OS_ROLES

FALSE

Determines whether the operating system identifies and manages the roles of each user.

MAX_ENABLED_ROLES

30

Specifies the maximum number of database roles that users can enable, including roles contained within other roles.

REMOTE_OS_ROLES

FALSE

Specifies whether operating system roles are allowed for remote clients. The default value, FALSE, causes Oracle to identify and manage roles for remote clients.

SQL92_SECURITY

FALSE

Specifies whether users must be granted the SELECT object privilege to execute UPDATE or DELETE statements.


To modify an initialization parameter, see "Modifying the Value of an Initialization Parameter". For detailed information about initialization parameters, see Oracle Database Reference and Oracle Database Administrator's Guide.

PKi I?PK=AOEBPS/tdpsg_securing_data.htm Securing Data

6 Securing Data

This chapter contains:

About Securing Data

Oracle Database provides many ways to secure data. This chapter describes the following methods that you can use to secure data on your site:

  • Transparent data encryption. Transparent data encryption encrypts data in one or more database table columns, or it can encrypt an entire tablespace. Transparent data encryption is the quickest and easiest way to encrypt data. Transparent data encryption supports the Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES) algorithms.

    You can also encrypt data on the network. "Protecting Data on the Network by Using Network Encryption" explains how.

  • Oracle Virtual Private Database (VPD). This feature restricts row and column level data access by creating a policy that enforces a WHERE clause for all SQL statements that query the database. You create and manage the VPD policy at the database table or view level, which means that you do not modify the applications that access the database.

  • Oracle Label Security (OLS). This feature secures your database tables at the row level, and assigns these rows different levels of security based on security labels. You then create a security authorization for users based on the OLS labels.

  • Oracle Database Vault. This feature enables you to restrict administrator access to your databases, enforce separation of duty, and control who, when, where and how applications, databases, and data are accessed.

Encrypting Data Transparently with Transparent Data Encryption

Transparent data encryption enables you to quickly encrypt one or more table columns or a tablespace. It is easy to implement and has many advantages over other types of database encryption.

This section contains:

About Encrypting Sensitive Data

Encrypted data can only be read by its recipient. You use encryption to protect data in a potentially unprotected environment, such as data you have placed on backup media that is sent to an offsite storage location.

The encryption data includes the following components:

  • An algorithm to encrypt the data. The encryption algorithm is used by Oracle databases to encrypt data. Oracle Database supports several industry-standard encryption and hashing algorithms, including the Advanced Encryption Standard (AES) encryption algorithm, which has been approved by the National Institute of Standards and Technology (NIST).

  • A key to encrypt and decrypt data. When you encrypt data, Oracle Database uses the key and clear text data as input into the encryption algorithm. Conversely, when you decrypt data, the key is used as input into the algorithm to reverse the process and retrieve the clear text data. Oracle Database uses a symmetric encryption key to perform this task, in which the same key is used to both encrypt and decrypt the data. The encryption key is stored in the data dictionary, but encrypted with another master key.

As mentioned earlier, you can encrypt individual table columns or an entire tablespace. Be careful that you do not mix the two. For example, suppose you encrypt a table column and then encrypt its surrounding tablespace. This double encryption can cause performance problems. In addition, column encryption has limitations in data type support, and only supports B-tree indexes for equality searches. To check the current encrypted settings, you can query the V$ENCRYPTED_TABLESPACES data dictionary view for tablespaces, and the DBA_ENCRYPTED_COLUMNS view for encrypted columns.

When Should You Encrypt Data?

In most cases, you encrypt sensitive data on your site to meet a regulatory compliance. For example, sensitive data such as credit card numbers, Social Security numbers, or patient health information must be encrypted.

Historically, users have wanted to encrypt data because they want to restrict data access from their database administrators. However, this problem is more of an access control problem, not an encryption problem. You can address this problem by using Oracle Database Vault to control the access to your application data from database administrators.

In most cases, you encrypt sensitive data such as credit cards, and Social Security numbers to prevent access when backup tapes or disk drives are lost or stolen. In recent years industry regulations such as the Payment Card Industry (PCI) Data Security Standard and the Healthcare Insurance Portability and Accountability Act (HIPAA) have become a driving factor behind increased usage of encryption for protecting credit card and health care information, respectively.


See Also:

Oracle Database Security Guide for common misconceptions about encrypting stored data

How Transparent Data Encryption Works

Transparent data encryption enables you to encrypt individual table columns or an entire tablespace. When a user inserts data into an encrypted column, transparent data encryption automatically encrypts the data. When users select the column, the data is automatically decrypted.

To encrypt data by using transparent data encryption, you create the following components:

  • A wallet to store the master encryption key. The wallet is an operating system file located outside the database. The database uses the wallet to store the master encryption key. To create the wallet, you can use Enterprise Manager or the ALTER SYSTEM command. The wallet is encrypted using a password as the encryption key. You create the password when you create the wallet. Access to the contents (or master key) of the wallet is thus restricted to only those who know the password. After the wallet is created, you must open the wallet using the password so that the database can access the master encryption key.

  • A location for the wallet. You can specify the wallet location in the sqlnet.ora file.

Afterward, when a user enters data, Oracle Database performs the following steps:

  1. Retrieves the master key from the wallet.

  2. Decrypts the encryption key using the master key.

  3. Uses the encryption key to encrypt the data the user entered.

  4. Stores the data in encrypted format in the database.

If the user is selecting data, the process is similar: Oracle Database decrypts the data and then displays it in clear text format.

Transparent data encryption has the following advantages:

  • As a security administrator, you can be sure that sensitive data is safe if the storage media or data file is stolen or lost.

  • Implementing transparent data encryption helps you address security-related regulatory compliance issues.

  • Data from tables is transparently decrypted for the database user. You do not need to create triggers or views to decrypt data.

  • Database users need not be aware of the fact that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and does not require any action on their part.

  • Applications need not be modified to handle encrypted data. Data encryption and decryption is managed by the database.

Transparent data encryption has a minimal impact on performance. Transparent data encryption column encryption affects performance only when data is retrieved from or inserted into an encrypted column. There is no impact on performance for operations involving unencrypted columns, even if these columns are in a table containing encrypted columns. However, be aware that encrypted data needs more storage space than clear text data. On average, encrypting a single column requires between 32 and 48 bytes of additional storage for each row. Transparent tablespace encryption provides even better performance because Oracle Database performs the encryption and decryption at the I/O block layer. Once blocks are decrypted, they are cached in Oracle Database memory for optimal performance.


See Also:

Oracle Database Advanced Security Administrator's Guide for detailed information about using Transparent Data Encryption

Configuring Data to Use Transparent Data Encryption

To start using transparent data encryption, you must create a wallet and set a master key. The wallet can be the default database wallet shared with other Oracle Database components, or a separate wallet specifically used by transparent data encryption. Oracle recommends that you use a separate wallet to store the master encryption key. This wallet will be used for all data that is being encrypted through transparent data encryption.

You follow these steps to configure table columns to use transparent data encryption:


See Also:

Oracle Database Advanced Security Administrator's Guide for detailed information about using tablespace encryption

Step 1: Configure the Wallet Location

You designate the directory location for the wallet in the sqlnet.ora file. You perform this step once.

To configure the wallet location:  

  1. Create a directory in the $ORACLE_HOME directory in which to store the wallet.

    For example, create a directory called ORA_WALLETS in the C:\oracle\product\11.2.0\db_1 directory.

  2. Create a backup copy of the sqlnet.ora file, which by default is located in the $ORACLE_HOME/network/admin directory.

  3. At the end of the sqlnet.ora file, add code similar to the following, where ORA_WALLETS is the name of the directory where you plan to store the wallet:

    ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=file)
   (METHOD_DATA=
    (DIRECTORY=C:\oracle\product\11.2.0\db_1\ORA_WALLETS)))

  4. Save and close the sqlnet.ora file.

  5. If the compatibility of the database is set to a release earlier than Oracle Database Release 10.2, then restart the database.

    1. Log in to SQL*Plus and then check the database compatibility.

      sqlplus sys as sysdba
Enter password: password

      SQL*Plus starts, connects to the default database, and then displays a SQL> prompt.

      For detailed information about starting SQL*Plus, see Oracle Database 2 Day DBA.

    2. Check the value of the COMPATIBLE parameter.

      SHOW PARAMETER COMPATIBLE

NAME                       TYPE           VALUE
-------------------------- -------------- --------------------
compatible                 string         11.2.0

    3. If the value is greater than 10.2, then you can go to Step 2: Create the Wallet. If the value is less than 10.2, then restart the database as follows.

      SHUTDOWN IMMEDIATE
STARTUP

Step 2: Create the Wallet

To create the wallet, use the ALTER SYSTEM SQL statement. By default, the Oracle wallet stores a history of retired master keys, which enables you to change them and still be able to decrypt data that was encrypted under an old master key. A case-sensitive wallet password unknown to the database administrator provides separation of duty: The database administrator might be able to restart the database, but the wallet is closed and must be manually opened by a security administrator before the database can encrypt or decrypt the data.

To create the wallet:  

  1. In SQL*Plus, connect as a user with administrative privileges, such as SYS, or as a security administrator.

    For example:

    CONNECT SYSTEM
Enter password: password

  2. Enter the following ALTER SYSTEM statement, where password is the password you want to use to protect the Oracle wallet:

    ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";

    Enclose the password in double quotation marks. As with other passwords that you create in Oracle Database, the password does not appear in clear text or in any dynamic views or logs.

    This statement generates the wallet with a new encryption key and sets it as the current transparent data encryption master key. If you plan to use public key infrastructure (PKI) to configure the master encryption key, then specify a certificate ID, which is an optional string that contains the unique identifier of a certificate stored in the Oracle wallet. Use the following syntax:

    ALTER SYSTEM SET ENCRYPTION KEY certificate_ID IDENTIFIED BY "password";

Step 3: Open (or Close) the Wallet

Immediately after you create the wallet key, the wallet is open, and you are ready to start encrypting data. However, if you have restarted the database after you created the wallet, you must manually open the wallet before you can use transparent data encryption.

To open the wallet:  

  • In SQL*Plus, enter the following ALTER SYSTEM statement, where password is the password you use to protect the wallet:

    ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password";

You must inclose the password in quotation marks.

In most cases, leave the wallet open unless you have a reason for closing it. You can close the wallet to disable access to the master key and prevent access to the encrypted columns. The wallet must be open for transparent data encryption to work. To reopen the wallet, use the ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY password statement.

To close the wallet:  

  • In SQL*Plus, enter the following statement, and ensure that you enclose the password in quotation marks:

    ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password";

Step 4: Encrypt (or Decrypt) Data

After you have created a directory location for the wallet in the sqlnet.ora file and created the wallet itself, you are ready to encrypt either individual table columns or an entire tablespace.

This section contains the following topics:

Encrypting Individual Table Columns

The decisions that you make when you identify columns to be encrypted are determined by governmental security regulations, such as California Senate Bill 1386, or by industry standards such as the Payment Card Industry (PCI) Data Security Standard. Credit card numbers, Social Security numbers, and other personally identifiable information (PII) fall under this category. Another need for encryption is defined by your own internal security policies — trade secrets, research results, or employee salaries and bonuses. See "When Should You Encrypt Data?" for guidelines about when and when not to encrypt data.

Follow these guidelines when you select columns to encrypt:

  • Check the data types of the columns you plan to encrypt. Transparent data encryption supports the following data types:


    		BINARY_FLOATNUMBER

    		BINARY_DOUBLENVARCHAR2

    		CHARRAW

    		DATETIMESTAMP

    		NCHARVARCHAR2

  • Ensure that the columns you select are not part of a foreign key. With transparent data encryption, each table has its own encryption key, which is stored in the database data dictionary and encrypted with the external master key. Encrypted columns cannot be used as foreign keys.

To encrypt a column in a table:  

  1. Ensure that you have created and opened a wallet key.

    "Step 2: Create the Wallet" explains how to create a wallet key. To open an existing wallet key, see "Step 3: Open (or Close) the Wallet".

  2. Start Database Control.

    See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  3. Enter an administrator user name (for example, SYSTEM, or the name of a security administrator) and password, and then click Login.

    The Database Home page appears.

  4. Click Schema to display the Schema subpage.

  5. Under Database Objects, select Tables.

    The Tables page appears.

  6. Do one of the following:

    • To create a new table, click Create, and then answer the questions in the subsequent page to start creating the table.

    • To modify an existing table, search for the table name by entering its schema name into the Schema field and the table name in the Object Name field. (You can use the percent sign (%) wildcard character to search for a group of tables, for example O% to find all tables beginning with the letter O.) When the table is listed in the Tables page, select the table, and then click Edit.

    In the Create Table or Edit Table page, you can set its encryption options.

    For example, to encrypt columns in the OE.ORDERS table, the Edit Table page appears as follows:

    Description of encrypt_cols.gif follows
    Description of the illustration encrypt_cols.gif

  7. In the Create Table (or Edit Table) page, do the following:

    1. Select the column that you want to encrypt.

      Do not select columns that are part of a foreign key constraint (primary or unique key columns). You cannot encrypt these columns. These columns are indicated with a key or check mark icon to the left of their names.

    2. Click Encryption Options to display the Encryption Options for the Table page.

    3. From the Encryption Algorithm list, select from the following options:

      • AES192: Sets the key length to 192 bits. AES is the abbreviation for Advanced Encryption Standard.

      • 3DES168: Sets the key length to 168 bits. 3DES is the abbreviation for Triple Data Encryption Standard.

      • AES128: Sets the key length to 128 bits. This option is the default.

      • AES256: Sets the key length to 256 bits.

    4. Under Key Generation, select either Generate Key Randomly or Specify Key. If you select Specify Key, enter characters for the seed values in the Enter Key and Confirm Key fields.

      The Generate Key Randomly setting enables salt. Salt is a way to strengthen the security of encrypted data. It is a random string added to the data before it is encrypted, causing the same text to appear different when encrypted. Salt removes one method attackers use to steal data, namely, matching patterns of encrypted text.

    5. Click Continue to return to the Create Table (or Edit Table) page.

    6. Enable encryption for the column by selecting its box under Encrypted.

  8. Click Continue.

    The Create Table (or Edit Table) page appears.

While a table is being updated, read access is still possible. Afterward, existing and future data in the column is encrypted when it is written to the database file, and it is decrypted when an authorized user selects it. If data manipulation language (DML) statements are needed, you can use online redefinition statements.

Encrypting a Tablespace

You can encrypt a new tablespace while you are creating it, but you cannot encrypt an existing tablespace. As a workaround, you can use the CREATE TABLE AS SELECT, ALTER TABLE MOVE, or use Oracle Data Pump import to get data from an existing tablespace into an encrypted tablespace. For details about creating a tablespace, see Oracle Database 2 Day DBA.

To encrypt a tablespace:  

  1. Ensure that you have created and opened a wallet key.

    "Step 2: Create the Wallet" explains how to create a wallet key. To open an existing wallet key, see "Step 3: Open (or Close) the Wallet".

  2. Start Database Control.

    See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  3. Enter an administrator user name (for example, SYSTEM, or the name of a security administrator) and password, and then click Login.

    The Database Home page appears.

  4. Click Server to display the Server subpage.

  5. Under Storage, click Tablespaces.

    The Tablespaces page appears.

  6. Click Create, and then answer the questions in the subsequent page to start creating the tablespace and its required data file.

  7. In the Create Tablespace page, do the following:

    1. Under Type, select the Encryption box, under Permanent.

    2. Select Encryption options to display the Encryption Options page.

    3. From the Encryption Algorithm list, select from the following options:

      • AES192: Sets the key length to 192 bits. AES is the abbreviation for Advanced Encryption Standard.

      • 3DES168: Sets the key length to 168 bits. 3DES is the abbreviation for Triple Data Encryption Standard.

      • AES128: Sets the key length to 128 bits. This option is the default.

      • AES256: Sets the key length to 256 bits.

      See "Available Methods" under Step 5 in "Configuring Network Encryption" for more information about these encryption algorithms.

    4. Click Continue.

      The Create Tablespace page appears.

  8. Click OK.

    The new tablespace appears in the list of existing tablespaces. Remember that you cannot encrypt an existing tablespace.


See Also:




Checking Existing Encrypted Data

You can query the database for the data that you have encrypted. You can check for individually encrypted columns, all tables in the current database instance that have encrypted columns, or all tablespaces that are encrypted.

This section contains:

Checking Whether a Wallet Is Open or Closed

You can find out if a wallet is open or closed by running the V$ENCRYPTION_WALLET view.

To check whether a wallet is open or closed: 

  • In SQL*Plus, query the V$ENCRYPTION_VIEW view as follows:

    SELECT * FROM V$ENCRYPTION_WALLET;

    The wallet status appears, similar to the following:

    WRL_TYPE  WRL_PARAMETER                             STATUS
--------  ----------------------------------------  -------
file      C:\oracle\product\11.2.0\db_1\wallets     OPEN

Checking Encrypted Columns of an Individual Table

You use the DESC (for DESCRIBE) statement in SQL*Plus to check the encrypted columns in a database table.

To check the encrypted columns of an individual table: 

  • In SQL*Plus, run the DESC statement using the following syntax.

    DESC tablename;

    For example:

    DESC OE.ORDER_ITEMS;

    A description of the table schema appears. For example:

    Name                                      Null?     Type
----------------------------------------  --------  --------------------------
ORDER_ID                                  NOT NULL  NUMBER(12)
LINE_ITEM_ID                              NOT NULL  NUMBER(3)
PRODUCT_ID                                NOT NULL  NUMBER(6)
UNIT_PRICE                                          NUMBER(8,2)
QUANTITY                                            NUMBER(8) ENCRYPT

Checking All Encrypted Table Columns in the Current Database Instance

To check all encrypted table columns, you use the DBA_ENCRYPTED_COLUMNS view.

To check all encrypted table columns in the current database instance: 

  • In SQL*Plus, select from the DBA_ENCRYPTED_COLUMNS view:

    For example:

    SELECT * FROM DBA_ENCRYPTED_COLUMNS;

    This SELECT statement lists all tables and column in the database that contain columns encrypted using Oracle Transparent Data Encryption. For example:

    OWNER        TABLE_NAME    COLUMN_NAME    ENCRYPTION_ALG     SALT
-----------  ----------    -----------    ----------------   ----
OE           CUSTOMERS     INCOME_LEVEL   AES 128 bits key   YES
OE           UNIT_PRICE    ORADER_ITEMS   AES 128 bits key   YES
HR           EMPLOYEES     SALARY         AES 192 bits key   YES

See Also:

Oracle Database Reference for more information about the DBA_ENCRYPTED_COLUMNS view

Checking Encrypted Tablespaces in the Current Database Instance

Table 6-1 lists data dictionary views that you can use to check encrypted tablespaces.

Table 6-1 Data Dictionary Views for Encrypted Tablespaces

Data Dictionary ViewDescription

DBA_TABLESPACES

Describes all tablespaces in the database. For example, find out if the tablespace has been encrypted, enter the following:

SELECT TABLESPACE_NAME, ENCRYPTED FROM DBA_TABLESPACES

TABLESPACE_NAME              ENC
---------------------------- ----
SYSTEM                       NO
SYSAUX                       NO
UNCOTBS1                     NO
TEMP                         NO
USERS                        NO
EXAMPLE                      NO
SECURESPACE                  YES

USER_TABLESPACES

Describes the tablespaces accessible to the current user. It has the same columns as DBA_TABLESPACES, except for the PLUGGED_IN column.

V$ENCRYPTED_TABLESPACES

Displays information about the tablespaces that are encrypted. For example:

SELECT * FROM V$ENCRYPTED_TABLESPACES;

        TS#  ENCRYPTIONALG  ENCRYPTEDTS
-----------  -------------  -----------
         6   AES128          YES

The list includes the tablespace number, its encryption algorithm, and whether its encryption is enabled or disabled.

If you want to find the name of the tablespace, use the following join operation:

SELECT NAME, ENCRYPTIONALG ENCRYPTEDTS
FROM V$ENCRYPTED_TABLESPACES, V$TABLESPACE
WHERE V$ENCRYPTED_TABLESPACES.TS# = V$TABLESPACE.TS#;


See Also:

Oracle Database Reference for more information about data dictionary views

Choosing Between Oracle Virtual Private Database and Oracle Label Security

Both Oracle Virtual Private Database (VPD) and Oracle Label Security (OLS) enable you to restrict the data that different users can see in database tables. But when should you use Virtual Private Database and when should you use Oracle Label Security? Virtual Private Database is effective when there is existing data you can use to determine the access requirements. For example, you can configure a sales representative to see only the rows and columns in a customer order entry table for orders he or she handles. Oracle Label Security is useful if you have no natural data (such as user accounts or employee IDs) that can be used to indicate a table's access requirements. To determine this type of user access, you assign different levels of sensitivity to the table rows.

In some cases, Oracle Virtual Private Database and Oracle Label Security can complement each other. The following Oracle Technology Network hands-on tutorial demonstrates how a Virtual Private Database policy can compare an Oracle Label Security user clearance with a minimum clearance. When the user clearance dominates the threshold, the Salary column is not hidden.

http://www.oracle.com/technetwork/database/security/ols-cs1-099558.html

Table 6-2 compares the features of Oracle Virtual Private Database with Oracle Label Security.

Table 6-2 Comparing Oracle Virtual Private Database with Oracle Label Security

FeatureVPDOLS

Provides row-level security

Yes

Yes

Provides column-level security (column masking)

Yes

No

Binds a user-defined PL/SQL package to a table, view, or synonym

Yes

NoFoot 1 

Modifies SQL by dynamically adding a WHERE clause returned from the PL/SQL procedures

Yes

No

Restricts database operations by privileged usersFoot 2 

No

No

Controls access to a set of rows based on the sensitivity label of the row and the security level of the user

No

Yes

Adds a column (optionally hidden) designed to store sensitivity labels for rows in the protected tableFoot 3 

No

Yes

Provides a user account to manage its administration

NoFoot 4 

YesFoot 5 

Provides pre-defined PL/SQL packages for row-level security

No

Yes

Is provided in the default installation of Oracle Database

Yes

No

Is provided as an additional option to Oracle Database and must be licensed

No

Yes


Footnote 1 Oracle Label Security uses predefined PL/SQL packages, not user-created packages, to attach security policies to tables.

Footnote 2 If you must restrict privileged user access, consider using Oracle Database Vault.

Footnote 3 Usually, this column is hidden to achieve transparency and not break applications that are not designed to show an additional column.

Footnote 4 Oracle Virtual Private Database does not provide a user account, but you can create a user account that is solely responsible for managing Virtual Private Database policies.

Footnote 5 The LBACSYS account manages Oracle Label Security policies. This provides an additional layer of security in that one specific user account is responsible for these policies, which reduces the risk of another user tampering with the policies.

Controlling Data Access with Oracle Virtual Private Database

Oracle Virtual Private Database (VPD) enables you to dynamically add a WHERE clause in any SQL statement that a user executes. The WHERE clause filters the data the user is allowed to access, based on the identity of a user.

This section contains:


See Also:

Oracle Database Security Guide for detailed information about how Oracle Virtual Private Database works

About Oracle Virtual Private Database

Oracle Virtual Private Database (VPD) provides row-level security at the database table or view level. You can extend it to provide column-level security as well. Essentially, Virtual Private Database inserts an additional WHERE clause to any SQL statement that is used on any table or view to which a Virtual Private Database security policy has been applied. (A security policy is a function that allows or prevents access to data.) The WHERE clause allows only users whose identity passes the security policy, and hence, have access to the data that you want to protect.

An Oracle Virtual Private Database policy has the following components, which are typically created in the schema of the security administrator:

  • A PL/SQL function to append the dynamic WHERE clause to SQL statements that affect the Virtual Private Database tables. For example, a PL/SQL function translates the following SELECT statement:

    SELECT * FROM ORDERS;

    to the following:

    SELECT * FROM ORDERS
  WHERE SALES_REP_ID = 159;

    In this example, the user can only view orders by Sales Representative 159. The PL/SQL function used to generate this WHERE clause is as follows:


    		 
    1
2
3
4
5
6
7
8
9
10
11
12

    CREATE OR REPLACE FUNCTION auth_orders( 
 schema_var IN VARCHAR2, 
 table_var  IN VARCHAR2 
) 
RETURN VARCHAR2
IS  
 return_val VARCHAR2 (400); 
BEGIN 
 return_val := 'SALES_REP_ID = 159';
 RETURN return_val; 
END auth_orders; 
/

    In this example:

    • Lines 2–3: Create parameters to store the schema name, OE, and table name, ORDERS. (The second parameter, table_var, for the table, can also be used for views and synonyms.) Always create these two parameters in this order: create the parameter for the schema first, followed by the parameter for the table, view, or synonym object. Note that the function itself does not specify the OE schema or its ORDERS table. The Virtual Private Database policy you create uses these parameters to specify the OE.ORDERS table.

    • Line 5: Returns the string that will be used for the WHERE predicate clause.

    • Lines 6–10: Encompass the creation of the WHERE SALES_REP_ID = 159 predicate.

    You can design the WHERE clause to filter the user information based on the session information of that user, such as the user ID. To do so, you create an application context. Application contexts can be used to authenticate both database and nondatabase users. An application context is a name-value pair. For example:

    SELECT * FROM oe.orders 
 WHERE sales_rep_id = SYS_CONTEXT('userenv','session_user');

    In this example, the WHERE clause uses the SYS_CONTEXT PL/SQL function to retrieve the user session ID (session_user) designated by the userenv context. See Oracle Database Security Guide for detailed information about application contexts.

  • A way to attach the policy the package. Use the DBMS_RLS.ADD_POLICY function to attach the policy to the package. Before you can use the DBMS_RLS PL/SQL package, you must be granted EXECUTE privileges on it. User SYS owns the DBMS_RLS package.

The advantages of enforcing row-level security at the database level rather than at the application program level are enormous. Because the security policy is implemented in the database itself, where the data to be protected is, this data is less likely to be vulnerable to attacks by different data access methods. This layer of security is present and enforced no matter how users (or intruders) try to access the data it protects. The maintenance overhead is low because you maintain the policy in one place, the database, rather than having to maintain it in the applications that connect to this database. The policies that you create provide a great deal of flexibility because you can write them for specific DML operations.

Tutorial: Creating an Oracle Virtual Private Database Policy

The ORDERS table in the Order Entry database, OE, contains the following information:

Name                                   Null?    Type
-------------------------------------- -------- ---------------------------------
ORDER_ID                               NOTNULL  NUMBER(12)
ORDER_DATE                             NOTNULL  TIMESTAMP(6) WITH LOCAL TIME ZONE
ORDER_MODE                                      VARCHAR2(8)
CUSTOMER_ID                            NOTNULL  NUMBER(6)
ORDER_STATUS                                    NUMBER(2)
ORDER_TOTAL                                     NUMBER(8,2)
SALES_REP_ID                                    NUMBER(6)
PROMOTION_ID                                    NUMBER(6)

Suppose you want to limit access to this table based on the person who is querying the table. For example, a sales representative should only see the orders that he or she have created, but other employees should not. In this tutorial, you create a sales representative user account and an account for a finance manager. Then, you create an Oracle Virtual Private Database policy that will limit the data access to these users based on their roles.

The Virtual Private Database policy that you will create is associated with a PL/SQL function. Because VPD policies are controlled by PL/SQL functions or procedures, you can design the policy to restrict access in many different ways. For this tutorial, the function you create will restrict access by the employees based on to whom they report. The function will restrict the customer access based on the customer's ID.

You may want to store VPD policies in a database account separate from the database administrator and from application accounts. In this tutorial, you will use the sec_admin account, which was created in "Tutorial: Creating a Secure Application Role", to create the VPD policy. This provides better security by separating the VPD policy from the applications tables.

To restrict access based on the sensitivity of row data, you can use Oracle Label Security (OLS). OLS lets you categorize data into different levels of security, with each level determining who can access the data in that row. This way, the data access restriction is focused on the data itself, rather than on user privileges. See "Enforcing Row-Level Security with Oracle Label Security" for more information.

In this tutorial:

Step 1: If Necessary, Create the Security Administrator Account

In "Tutorial: Creating a Secure Application Role", you created a security administrator account called sec_admin for that tutorial. You can use that account for this tutorial. If you have not yet created this account, follow the steps in "Step 1: Create a Security Administrator Account" to create sec_admin.

Step 2: Update the Security Administrator Account

The sec_admin account user must have privileges to use the DBMS_RLS packages. User SYS owns this package, so you must log on as SYS to grant these package privileges to sec_admin. The user sec_admin also must have SELECT privileges on the CUSTOMERS table in the OE schema and the EMPLOYEES table in the HR schema.

To grant sec_admin privileges to use the DBMS_RLS package: 

  1. Start Database Control.

    See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  2. Log in as user SYS and connect with the SYSDBA privilege:

    • User Name: SYS

    • Password: Enter the password for SYS.

    • Connect As: SYSDBA

  3. Click Server to display the Server subpage.

  4. Under Security, select Users.

    The Users Page appears.

  5. Select the SEC_ADMIN user, and in the View User page, click Edit.

    The Edit User page appears.

  6. Click Object Privileges to display the Object Privileges page.

  7. From the Select Object Type list, select Package, and then click Add.

    The Add Package Object Privileges page appears.

  8. Under Select Package Objects, enter SYS.DBMS_RLS so that sec_admin will have access to the DBMS_RLS package.

  9. Under Available Privileges, select EXECUTE, and then click Move to move it to the Selected Privileges list.

  10. Click OK.

    The Edit User page appears.

  11. From the Select Object Type list, select Table, and then click Add.

    The Add Table Object Privileges page appears.

  12. In the Select Table Objects field, enter HR.EMPLOYEES so that sec_admin will have access to the HR.EMPLOYEES table.

  13. Under Available Privileges, select SELECT, and then click Move to move it to the Selected Privileges list.

  14. Click OK.

    The Edit User page appears. It shows that user sec_admin has object privileges for the EMPLOYEES table and DBMS_RLS PL/SQL package. Ensure that you do not select the grant option for either of these objects.

  15. Click Apply.

    All the changes you have made, in this case, the addition of the two object privileges, are applied to the sec_admin user account.

Step 3: Create User Accounts for This Tutorial

You are ready to create accounts for the employees who must access the OE.ORDERS table.

To create the employee user accounts:  

  1. In Database Control, click Users in the Database Instance link to return to the Users page.

    The Users page appears.

  2. Click Create.

    The Create User page appears.

  3. Enter the following information:

    • Name: LDORAN (to create the user account Louise Doran)

    • Profile: DEFAULT

    • Authentication: Password

    • Enter Password and Confirm Password: Enter a password that meets the requirements in "Requirements for Creating Passwords".

    • Default Tablespace: USERS

    • Temporary Tablespace: TEMP

    • Status: Unlocked

  4. Select the Object Privileges tab.

  5. From the Select Object Type list, select Table, and then click Add.

    The Add Table Object Privileges page appears.

  6. In the Select Table Objects field, enter the following text:

    OE.ORDERS

    Do not include spaces in this text.

  7. In the Available Privileges list, select SELECT, and then click Move to move it to the Selected Privileges list. Click OK.

    The Create User page appears, with SELECT privileges for OE.ORDERS listed.

  8. Click OK.

    The Users page appears, with user ldoran is listed in the UserName column.

  9. Select the selection button for user LDORAN, and from the Actions list, select Create Like. Then, click Go.

    The Create User page appears.

  10. Enter the following information:

    • Name: LPOPP (to create the user account for Finance Manager Luis Popp.)

    • Enter Password and Confirm Password: Enter a password that meets the requirements in "Requirements for Creating Passwords".

  11. Click OK.

Both employee accounts have been created, and they have identical privileges. If you check the privileges for user LPOPP, you will see that they are identical to those of user LDORAN's. At this stage, if either of these users performs a SELECT statement on the OE.ORDERS table, he or she will be able to see all of its data.

Step 4: Create the F_POLICY_ORDERS Policy Function

The f_policy_orders policy is a PL/SQL function that defines the policy used to filter users who query the ORDERS table. To filter the users, the policy function uses the SYS_CONTEXT PL/SQL function to retrieve session information about users who are logging in to the database.

To create the application context and its package: 

  1. In Database Control, click Logout and then Login.

  2. Log in as user sec_admin.

  3. Click Schema to display the Schema subpage.

  4. Under Programs, select Functions.

    The Functions page appears.

  5. Ensure that the Object Type menu is set to Function, and then click Create.

    The Create Function page appears.

  6. Enter the following information:

    • Name: F_POLICY_ORDERS

    • Schema: SEC_ADMIN

    • Source: Delete the empty function code that has been provided, and then enter the following code (but not the line numbers on the left side of the code) to create a function that checks whether the user who has logged on is a sales representative. You can copy and paste this text by positioning the cursor at the start of (schema in varchar2) in the first line.

      The f_policy_orders function accomplishes this by using the SYS_CONTEXT PL/SQL function to get the session information of the user, and then it compares this information with the job ID of that user in the HR.EMPLOYEES table, for which sec_admin has SELECT privileges.


      		 
      1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

      (schema in varchar2,
tab in varchar2)
return varchar2 
as 
 v_job_id   varchar2(20);
 v_user     varchar2(100);
 predicate  varchar2(400);
 
begin
 v_job_id  := null;
 v_user    := null;
 predicate := '1=2';

v_user := lower(sys_context('userenv','session_user'));

 select lower(job_id) into v_job_id from hr.employees
   where lower(email) = v_user;
 
 if  v_job_id='sa_rep' then
    predicate := '1=1';
 else 
    null; 
 end if;

 return predicate;

 exception 
  when no_data_found then 
   null;
end;

      In this example:

      • Lines 1–2: Define parameters for the schema (schema) and table (tab) that must be protected. Notice that the function does not mention the OE.ORDERS table. The ACCESSCONTROL_ORDERS policy that you create in Step 5: Create the ACCESSCONTROL_ORDERS Virtual Private Database Policy uses these parameters to specify the OE schema and ORDERS table. Ensure that you create the schema parameter first, followed by the tab parameter.

      • Line 3: Returns the string that will be used for the WHERE predicate clause. Always use VARCHAR2 as the data type for this return value.

      • Lines 4–7: Define variables to store the job ID, user name of the user who has logged on, and predicate values.

      • Lines 9–25: Encompass the creation of the WHERE predicate, starting the with the BEGIN clause at Line 9.

      • Lines 10–12: Sets the v_job_id and v_user variables to null, and the predicate variable to 1=2, that is, to a false value. At this stage, no WHERE predicate can be generated until these variables pass the tests starting with Line 16.

      • Line 14: Uses the SYS_CONTEXT function to retrieve the session information of the user and write it to the v_user variable.

      • Lines 16–23: Checks if the user is a sales representative by comparing the job ID with the user who has logged on. If the job ID of the user who has logged on is sa_rep (sales representative), then the predicate variable is set to 1=1. In other words, the user, by being a sales representative, has passed the test.

      • Line 25: Returns the WHERE predicate, which translates to WHERE role_of_user_logging_on IS "sa_rep". Oracle Database appends this WHERE predicate onto any SELECT statement that users LDORAN and LPOPP issue on the OE.ORDERS table.

      • Lines 27–29: Provide an EXCEPTION clause for cases where a user without the correct privileges has logged on.

  7. Click OK.

Step 5: Create the ACCESSCONTROL_ORDERS Virtual Private Database Policy

Now that you have created the Virtual Private Database policy function, you can create the Virtual Private Database policy, accesscontrol_orders, and then attach it to the ORDERS table. To increase performance, add the CONTEXT_SENSITIVE parameter to the policy, so that Oracle Database only executes the f_policy_orders function when the content of the application context changes, in this case, when a new user logs on. Oracle Database only activates the policy when a user performs a SQL SELECT statement on the ORDERS table. Hence, the user cannot run the INSERT, UPDATE, and DELETE statements, because the policy does not allow him or her to do so.

To create the ACCESSCONTROL_ORDERS Virtual Private Database policy:  

  1. In Database Control, click the Database Instance link to display the Database Home page.

  2. Click Server to display the Server subpage.

  3. In the Security section, click Virtual Private Database.

    The Virtual Private Database Policies page appears.

  4. Click Create.

    The Create Policy page appears, with the Policy subpage displaying.

  5. Under General, enter the following:

    • Policy Name: ACCESSCONTROL_ORDERS

    • Object Name: OE.ORDERS

    • Policy Type: Select CONTEXT_SENSITIVE.

      This type reevaluates the policy function at statement run-time if it detects context changes since the last use of the cursor. For session pooling, where multiple clients share a database session, the middle tier must reset the context during client switches. Note that Oracle Database does not cache the value that the function returns for this policy type; it always runs the policy function during statement parsing. The CONTEXT_SENSITIVE policy type applies to only one object.

      To enable the Policy Type, select the Enabled box.

  6. Under Policy Function, enter the following:

    • Policy Function: Enter the name of the function that generates a predicate for the policy, in this case, SEC_ADMIN.F_POLICY_ORDERS.

    • Long Predicate: Do not select this box.

      Typically, you select this box to return a predicate with a length of up to 32K bytes. By not selecting this box, Oracle Database limits the predicate to 4000 bytes.

  7. Under Enforcement, select the SELECT option but deselect the remaining options that already may be selected.

  8. Do not select any options under Security Relevant Columns.

  9. Click OK.

    The Virtual Private Database Policies page appears, with the ACCESSCONTROL_ORDERS policy listed in the list of policies.

Step 6: Test the ACCESSCONTROL_ORDERS Virtual Private Database Policy

At this stage, you are ready to test the accesscontrol_orders policy by logging on as each user and attempting to select data from the ORDERS table.

To test the ACCESSCONTROL_ORDERS policy:  

  1. Start SQL*Plus.

    From a command prompt, enter the following command to start SQL*Plus, and log in as Sales Representative Louise Doran, whose user name is ldoran:

    sqlplus ldoran
Enter password: password

    SQL*Plus starts, connects to the default database, and then displays a prompt.

    For detailed information about starting SQL*Plus, see Oracle Database 2 Day DBA.

  2. Enter the following SELECT statement:

    SELECT COUNT(*) FROM OE.ORDERS;

    The following results should appear for Louise. As you can see, Louise is able to access all the orders in the OE.ORDERS table.

    COUNT(*)
--------
     105

  3. Connect as Finance Manager Luis Popp.

    CONNECT lpopp
Enter password: password

  4. Enter the following SELECT statement:

    SELECT COUNT(*) FROM OE.ORDERS;

    The following results should appear, because Mr. Popp, who is not a sales representative, does not have access to the data in the OE.ORDERS table. Because Mr. Popp does not have access, Oracle Database only allows him access to 0 rows.

    COUNT(*)
--------
       0

  5. Exit SQL*Plus:

    EXIT

Step 7: Optionally, Remove the Components for This Tutorial

After completing this tutorial, you can remove the data structures that you used if you no longer need them.

To remove the data structures created by sec_admin: 

  1. In Database Control, log in as user sec_admin.

  2. Click Server to display the Server subpage.

  3. Under Security, select Virtual Private Database.

    The Virtual Private Database Policies page appears.

  4. Under Search, enter the following information, and then click Go:

    • Schema Name: OE

    • Object Name: ORDERS

    • Policy Name: %

    The policy you created, ACCESSCONTROL_ORDERS, is listed.

  5. Select ACCESSCONTROL_ORDERS, and then click Delete.

  6. In the Confirmation page, click Yes.

To remove the user accounts and roles: 

  1. In Database Control, click Logout, and then Login.

  2. Log in as the administrative user (for example, SYSTEM) who created the user accounts and roles used in this tutorial.

  3. Click Server to display the Server subpage.

  4. Under Security, select Users.

    The Users page appears.

  5. Select each of the following users, and then click Delete to remove them:

    • LDORAN

    • LPOPP

    Do not remove sec_admin because you will need this account for later tutorials in this guide.

  6. Exit Database Control.

Enforcing Row-Level Security with Oracle Label Security

Oracle Label Security (OLS) provides row-level security for your database tables. You can accomplish this by assigning one or more security labels that define the level of security you want for the data rows of the table.

This section contains:

About Oracle Label Security

You use Oracle Label Security to secure your database tables at the row level, and assign these rows different levels of security based on the needs of your site. For example, rows that contain highly sensitive data can be assigned a label entitled HIGHLY SENSITIVE; rows that are less sensitive can be labeled as SENSITIVE, and so on. Rows that all users can have access to can be labeled PUBLIC. You can create as many labels as you need, to fit your site's security requirements.

After you create and assign the labels, you can use Oracle Label Security to assign specific users authorization for specific rows, based on these labels. Afterward, Oracle Label Security automatically compares the label of the data row with the security clearance of the user to determine whether the user is allowed access to the data in the row.

An Oracle Label Security policy has the following components:

  • Labels. Labels for data and users, along with authorizations for users and program units, govern access to specified protected objects. Labels are composed of the following:

    • Levels. Levels indicate the type of sensitivity that you want to assign to the row, for example, SENSITIVE or HIGHLY SENSITIVE.

    • Compartments. (Optional) Data can have the same level (Public, Confidential and Secret), but can belong to different projects inside a company, for example ACME Merger and IT Security. Compartments represent the projects in this example, that help define more precise access controls. They are most often used in government environments.

    • Groups. (Optional) Groups identify organizations owning or accessing the data, for example, UK, US, Asia, Europe. Groups are used both in commercial and government environments, and frequently used in place of compartments due to their flexibility.

  • Policy. A policy is a name associated with these labels, rules, and authorizations.

You can create Oracle Label Security labels and policies in Database Control, or you can create them using the SA_SYSDBA, SA_COMPONENTS, and SA_LABEL_ADMIN PL/SQL packages. For information about using the PL/SQL packages, see Oracle Label Security Administrator's Guide. This guide explains how to create Oracle Label Security labels and policies by using Database Control.

For example, assume that a user has the SELECT privilege on an application table. As illustrated in the following figure, when the user runs a SELECT statement, Oracle Label Security evaluates each row selected to determine whether the user can access it. The decision is based on the privileges and access labels assigned to the user by the security administrator. You can also configure Oracle Label Security to perform security checks on UPDATE, DELETE, and INSERT statements.

Description of olsag008.gif follows
Description of the illustration olsag008.gif

Guidelines for Planning an Oracle Label Security Policy

Before you create an Oracle Label Security policy, you must determine where and how to apply the labels to the application schema.

To determine where and how to apply Oracle Label Security policies for application data, follow these guidelines: 

  1. Analyze the application schema. Identify the tables that require an Oracle Label Security policy. In most cases, only a small number of the application tables will require an Oracle Label Security policy. For example, tables that store lookup values or constants usually do not need to be protected with a security policy. However, tables that contain sensitive data, such as patient medical histories or employee salaries, do.

  2. Analyze the use of data levels. After you identify the candidate tables, evaluate the data in the tables to determine the level of security for the table. Someone who has broad familiarity with business operations can provide valuable assistance with this stage of the analysis.

    Data levels refer to the sensitivity of the data. PUBLIC, SENSITIVE, and HIGHLY SENSITIVE are examples of data levels. You should also consider future sensitivities. Doing so creates a robust set of label definitions.

    Remember that if a data record is assigned a sensitivity label whose level component is lower than the clearance of the user, then a user attempting to read the record is granted access to that row.

  3. Analyze the use of data compartments. Data compartments are used primarily in government environments. If your application is a commercial application, in most cases, you will not create data compartments.

  4. Analyze the data groups. Data groups and data compartments are typically used to control access to data by organization, region, or data ownership. For example, if the application is a sales application, access to the sales data can be controlled by country or region.

    When a data record is assigned a sensitivity label with compartments and groups, a user attempting to read the record must have a user clearance that contains a level that is equal to or greater than the level of the data label, all of its compartments, and at least one of the groups in the sensitivity label. Because groups are hierarchical, a user could have the parent of one of the groups in the sensitivity label assigned to the data label and still be able to access that record.

  5. Analyze the user population. Separate the users into one or more designated user types. For example, a user might be designated as a typical user, privileged user, or administrative user. After you create these categories of users, compare the categories with the data levels you created in Step 2. They must correspond correctly for each table identified during the schema analysis you performed in Step 1. Then, compare the organizational structure of the user population with the data groups that you identified in Step 4.

  6. Examine the highly privileged and administrative users to determine which Oracle Label Security authorizations should be assigned to the user. Oracle Label Security has several special authorizations that can be assigned to users. In general, typical users do not require any special authorizations. See Oracle Label Security Administrator's Guide for a complete list of these authorizations.

  7. Review and document the data you gathered. This step is crucial for continuity across the enterprise, and the resulting document should become part of the enterprise security policy. For example, this document should contain a list of protected application tables and corresponding justifications.

Tutorial: Applying Security Labels to the HR.LOCATIONS Table

This tutorial demonstrates the general concepts of using Oracle Label Security. In it, you will apply security labels to the HR.LOCATIONS table. Three users, sking, kpartner, and ldoran will have access to specific rows within this table, based on the cities listed in the LOCATIONS table.

With Oracle Label Security, you restrict user access to data by focusing on row data, and designing different levels of access based on the sensitivity of your data. If you must restrict user access by focusing on user privileges, or some other method such as the job title that the user in your organization has, you can create a PL/SQL function or procedure to use with a Virtual Private Database policy. See "Controlling Data Access with Oracle Virtual Private Database" for more information.

The schema for HR.LOCATIONS is as follows:

Name                                      Null?    Type
----------------------------------------- -------- -------------
LOCATION_ID                               NOT NULL NUMBER(4)
STREET_ADDRESS                                     VARCHAR2(40)
POSTAL_CODE                                        VARCHAR2(12)
CITY                                      NOT NULL VARCHAR2(30)
STATE_PROVINCE                                     VARCHAR2(25)
COUNTRY_ID                                         CHAR(2)

You will apply the following labels:

LabelPrivileges
CONFIDENTIALRead access to the cities Munich, Oxford, and Roma
SENSITIVERead access to the cities Beijing, Tokyo, and Singapore
PUBLICRead access to all other cities listed in HR.LOCATIONS

In this tutorial:

Step 1: Register Oracle Label Security and Enable the LBACSYS Account

In a default Oracle Database installation, Oracle Label Security is installed. However, you must register Oracle Label Security and then enable the default Oracle Label Security account, which is called LBACSYS.

Registering Oracle Label Security with Oracle Database

After you complete the installation, you must register Oracle Label Security with Oracle Database. You can check if Oracle Label Security is already registered by entering the following SELECT statement in SQL*Plus. The PARAMETER column is case sensitive, so use the case shown here.

SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';

If the output is TRUE, then Oracle Label Security has been registered. Go to "Enabling the Default Oracle Label Security User Account LBACSYS". If it is FALSE, then register Oracle Label Security.

To register Oracle Label Security with Oracle Database: 

  1. Stop the database, Database Control console process, and listener.

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]

      For Oracle RAC installations, shut down each database instance as follows:

      $ srvctl stop database -d db_name

    • Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  2. Enable Oracle Label Security as follows:

    • UNIX: Run the following commands:

      $ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk lbac_on ioracle

    • Windows: In the ORACLE_BASE\ORACLE_HOME\bin directory, rename the oralbacll.dll.dbl file to oralbacll.dll.

  3. Restart the database and listener. (Do not restart the Database Control console process yet.)

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the listener.

      <p>For example:

      sqlplus sys as sysoper
Enter password: password

SQL> STARTUP
SQL> EXIT

$ lsnrctl start [listener_name]

      For Oracle RAC installations, restart each database instance as follows:

      $ srvctl start database -d db_name

    • Windows: Restart the database and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  4. Start Database Configuration Assistant.

    • UNIX: Enter the following command at a terminal window:

      dbca

      Typically, dbca is in the $ORACLE_HOME/bin directory.

    • Windows: From the Start menu, click All Programs. Then, click Oracle - ORACLE_HOME, Configuration and Migration Tools, and then Database Configuration Assistant.

      Alternatively, you can start Database Configuration Assistant at a command prompt:

      dbca

      As with UNIX, typically, dbca is in the ORACLE_BASE\ORACLE_HOME\bin directory.

  5. In the Welcome page, click Next.

    The Operations page appears.

  6. Select Configure Database Options, and then click Next.

    The Database page appears.

  7. From the list, select the database where you installed Oracle Database and then enter the name and password of a user who has been granted the DBA role (for example, user SYS). Click Next.

    The Database Content page appears.

    Database Content page of DBCA
    Description of the illustration ols_config.gif

  8. Select Oracle Label Security and then click Next.

    The Connection Mode page appears.

  9. Select either Dedicated Server Mode or Shared Server Mode (depending on the selection you made when you created this database), click Finish, and then click OK in the confirmation prompts.

    Database Configuration Assistant registers Oracle Label Security, and then restarts the database instance.

  10. Exit Database Configuration Assistant.

  11. Restart the Database Control console process.

    • UNIX: Run the following command:

      $ emctl start dbconsole

    • Windows: Restart the Database Control console process (for example, OracleDBConsoleorcl if the database is named orcl) from the Services tool in the Control Panel.

Enabling the Default Oracle Label Security User Account LBACSYS

The Oracle Label Security installation process creates a default user account, LBACSYS, who manages the Oracle Label Security features. An administrator can create a user who has the same privileges as this user, that is, EXECUTE privileges on the SA_SYSDBA, SA_COMPONENTS, and SA_LABEL_ADMIN PL/SQL packages. By default, LBACYS is created as a locked account with its password expired. Your next step is to unlock LBACYS and create a new password. Because user LBACSYS is using Database Control to create the Oracle Label Security policy, you must grant the SELECT ANY DICTIONARY privilege to LBACSYS.

To enable the LBACSYS user account:  

  1. Log in to Database Control as the user SYS with the SYSDBA privilege.

  2. Click Server to display the Server subpage.

  3. Under Security, select Users.

    The Users page appears.

  4. Select the LBACSYS user, and in the View User page, click Edit.

    The Edit User page appears.

  5. Next to Status, select Unlocked.

  6. In the Enter Password and Confirm Password fields, enter a secure password, according to the guidelines in "Requirements for Creating Passwords".

    For greater security, do not reuse the same password that was used in previous releases of Oracle Database.

  7. Click Roles to display the Edit User: LBACSYS page.

  8. Click Edit List.

    The Modify Roles page appears.

  9. In the Available Roles list, select the SELECT_CATALOG_ROLE role and then then click Move to move it to the Selected Roles list. Then click OK to return to the Edit User page.

  10. Click System Privileges.

  11. Click Edit List.

    The Modify System Privileges page appears.

  12. In the Available System Privileges list, select SELECT ANY DICTIONARY, and then click Move to move it to the Selected System Privileges list. Then click OK to return to the Edit User page.

  13. Select Object Privileges.

  14. In the Select Object Type list, select Package and then click Add.

  15. In the Add Package Object Privileges page, do the following:

    1. Under Select Package Objects, select the flashlight icon to display the Select Package Objects window.

    2. Set the Schema to LBACSYS.

    3. Enter % in the Search Package Name field and then click Go.

    4. Select all the package objects listed, for both pages of listed objects.

    5. Click Select to return to the Add Package Object Privileges window.

    6. Under Available Privileges, move the EXECUTE privilege to the Selected Privileges list.

    7. Click OK.

  16. Click OK to return to the Edit User page, and then click Apply to apply the changes.

Step 2: Create a Role and Three Users for the Oracle Label Security Tutorial

You are ready to create a role and three users, and then grant these users the role.

Creating a Role

The emp_role role provides the necessary privileges for the three users you will create.

To create the role emp_role: 

  1. Connect to Database Control as user SYSTEM.

  2. From the Database Home page, click Server to display the Server subpage.

  3. In the Security section, click Roles.

    The Roles page appears.

  4. Click Create.

    The Create Role page appears.

  5. In the Name field, enter EMP_ROLE and leave Authentication set to None.

  6. Select the Object Privileges subpage.

  7. From the Select Object Type list, select Table, and then click Add.

    The Add Table Object Privileges page appears.

  8. Under Select Table Objects, enter HR.LOCATIONS to select the LOCATIONS table in the HR schema, and then under Available Privileges, move SELECT to the Selected Privileges list.

  9. Click OK to return to the Create Role page, and then click OK to return to the Roles page.

Creating the Users

The three users you create will have different levels of access to the HR.LOCATIONS table, depending on their position. Steven King (sking) is the advertising president, so he has full read access to the HR.LOCATIONS table. Karen Partners (kpartner) is a sales manager who has less access, and Louise Doran (ldoran) is a sales representative who has the least access.

To create the users: 

  1. Ensure that you are logged in to Database Control as SYSTEM.

    If you are not already logged in as SYSTEM, then select Logout, and then select Login. In the Login page, enter SYSTEM and the password assigned to that account. Set Connect As to Normal. Select Login to log in.

    If you are logged in as SYSTEM, click the Database Instance link to display the home page.

  2. Click Server to display the Server subpage.

  3. In the Security section, click Users.

    The Users page appears.

  4. Click Create.

    The Create User page appears.

  5. Enter the following information:

    • Name: SKING

    • Profile: DEFAULT

    • Authentication: Password

    • Enter Password and Confirm Password: Enter a password that meets the requirements in "Requirements for Creating Passwords".

    • Default Tablespace: USERS

    • Temporary Tablespace: TEMP

    • Status: Set to Unlocked.

    • Roles: Select the Roles subpage, and then grant the emp_role role to sking by selecting Edit List. From the Available Roles list, select emp_role, and then click Move to move it to the Selected Roles list. Click OK. In the Create User page, ensure that the Default box is selected for both the CONNECT and emp_role roles.

    • System Privileges: Select the System Privileges subpage and then click Edit List to grant the CREATE SESSION privileges. Do not grant sking the ADMIN OPTION option.

  6. Click OK to return to the Create User page, and then from there, click OK to return to the Users page.

  7. In the Users page, select SKING, set Actions to Create Like, and then click Go.

    The Create User page appears.

  8. Create accounts for kpartner and ldoran.

    Create their names and passwords. (See "Requirements for Creating Passwords".) You do not need to grant roles or system privileges to them. Their roles and system privileges, defined in the sking account, are automatically created.

At this stage, you have created three users who have identical privileges. All of these users have the SELECT privilege on the HR.LOCATIONS table, through the EMP_ROLE role.

Step 3: Create the ACCESS_LOCATIONS Oracle Label Security Policy

Next, you are ready to create the ACCESS_LOCATIONS policy.

To create the ACCESS_LOCATIONS policy: 

  1. Log in to Database Control as user LBACSYS.

    Select Logout, and then select Login. In the Login page, log in as user LBACSYS. Set Connect As to Normal. Select Login to log in.

  2. Click Server to display the Server subpage.

  3. In the Security section, click Oracle Label Security.

    The Label Security Policies page appears.

  4. Click Create.

  5. In the Create Label Security Policy page, enter the following information:

    • Name: ACCESS_LOCATIONS

    • Label Column: OLS_COLUMN

      Later on, when you apply the policy to a table, the label column is added to that table. By default, the data type of the policy label column is NUMBER(10).

    • Hide Label Column: Deselect this box so that the label column will not be hidden. (It should be deselected by default.)

      Usually, the label column is hidden, but during the development phase, you may want to have it visible so that you can check it. After the policy is created and working, hide this column so that it is transparent to applications. Many applications are designed not to show an another column, so hiding the column prevents the application from breaking.

    • Enabled: Select this box to enable the policy. (It should be enabled by default.)

    • Inverse user's read and write groups (INVERSE_GROUP): Do not select this option.

    • Default Policy Enforcement Options: Select Apply Policy Enforcements, and then select the following options:

      For all queries (READ_CONTROL)

      To use session's default label for label column update (LABEL_DEFAULT)

  6. Click OK.

    The ACCESS_LOCATIONS policy appears in the Label Security Policies page.

    Description of ols_new_policy.gif follows
    Description of the illustration ols_new_policy.gif

Step 4: Define the ACCESS_LOCATIONS Policy-Level Components

At this stage, you have the policy and have set enforcement options for it. Next, you are ready to create label components for the policy.

At a minimum, you must create one or more levels, such as PUBLIC or SENSITIVE; and define a long name, a short name, and a number indicating the sensitivity level. Compartments and groups are optional.

The level numbers indicate the level of sensitivity needed for their corresponding labels. Select a numeric range that can be expanded later on, in case your security policy needs more levels. For example, to create the additional levels LOW_SENSITIVITY and HIGH_SENSITIVITY, you can assign them numbers 7300 (for LOW_SENSITIVITY) and 7600 (for HIGH_SENSITIVITY), so that they fit in the scale of security your policy creates. Generally, the higher the number, the more sensitive the data.

Compartments identify areas that describe the sensitivity of the labeled data, providing a finer level of granularity within a level. Compartments are optional.

Groups identify organizations owning or accessing the data. Groups are useful for the controlled dissemination of data and for timely reaction to organizational change. Groups are optional.

In this step, you define the level components, which reflect the names and relationships of the SENSITIVE, CONFIDENTIAL, and PUBLIC labels that you must create for the ACCESS_LOCATIONS policy.

To define the label components for the ACCESS_LOCATIONS policy:  

  1. In the Label Security policies page, select the ACCESS_LOCATIONS policy, and then select Edit.

    The Edit Label Security Policy page appears.

  2. Select the Label Components subpage.

  3. Under Levels, click Add 5 Rows, and then enter a long name, short name, and a numeric tag as follows. (To move from one field to the next, press the Tab key.)


    		Long NameShort NameNumeric Tag

    		SENSITIVESENS3000

    		CONFIDENTIALCONF2000

    		PUBLICPUB1000

  4. Click Apply.

Step 5: Create the ACCESS_LOCATIONS Policy Data Labels

In this step, you create data labels for the policy you created in Step 4: Define the ACCESS_LOCATIONS Policy-Level Components. To create the data label, you must assign a numeric tag to each level. Later on, the tag number will be stored in the security column when you apply the policy to a table. It has nothing to do with the sensitivity of the label; it is only used to identify the labels for the policy.

To create the data labels: 

  1. Return to the Label Security policies page by selecting the Label Security Policies link.

  2. Select the selection button for the ACCESS_LOCATIONS policy.

  3. In the Actions list, select Data Labels, and then click Go.

    The Data Labels page appears.

  4. Click Add.

    The Create Data Label page appears.

  5. Enter the following information:

  6. Click OK.

    The data label appears in the Data Labels page.

  7. Click Add again, and then create a data label for the CONF label as follows:

    • Numeric Tag: Enter 2000.

    • Level: Select CONF from the list.

  8. Click OK.

  9. Click Add again, and then create a data label for the SENS label as follows:

    • Numeric Tag: Enter 3000.

    • Level: Select SENS from the list.

  10. Click OK.

    At this stage, the CONF, PUB, and SENS labels appear in the Data Labels page.

    Description of ols_dlabel2.gif follows
    Description of the illustration ols_dlabel2.gif

    Later, the tag number will be stored in the security column when you apply the policy to the HR.LOCATIONS table. It has nothing to do with the sensitivity of the label; it is only used to identify the labels for the policy.

Step 6: Create the ACCESS_LOCATIONS Policy User Authorizations

Next, you are ready to create user authorizations for the policy.

To create user authorizations for the policy:  

  1. Return to the Label Security policies page by selecting the Label Security Policies link.

  2. Select the selection button for the ACCESS_LOCATIONS policy.

  3. In the Actions list, select Authorization, and then click Go.

    The Authorization page appears.

  4. Click Add Users.

    The Add User: Users page appears.

  5. Under Database Users, click Add.

    The Search and Select: Userpage appears. Enter SKING, and then click Go.

    Typically, a database user account already has been created in the database, for example, by using the CREATE USER SQL statement.

    The other option is Non Database Users. Most application users are considered nondatabase users. A nondatabase user does not exist in the database. This can be any user name that meets the Oracle Label Security naming standards and can fit into the VARCHAR2(30) length field. However, be aware that Oracle Database does not automatically configure the associated security information for the nondatabase user when the application connects to the database. In this case, the application must call an Oracle Label Security function to assume the label authorizations of the specified user who is not a database user.

  6. Select the check box for user SKING, and then click Select.

    The Create User page lists user SKING.

    Description of ols_auth_user.gif follows
    Description of the illustration ols_auth_user.gif

  7. Select the check box for user SKING and then click Next.

    (You may need to refresh the page to display user SKING's check box.)

  8. In the Labels, Compartments and Groups page, enter the following settings:

    • Maximum Level: SENS (for SENSITIVE)

    • Minimum Level: CONF (for CONFIDENTIAL)

    • Default Level: SENS

    • Row Level: SENS

  9. Click Next to go to the Privileges page.

  10. In the Privileges page, select Next to move to the Audit page.

    Oracle Label Security enforces the policy through the label authorizations. The Privileges page enables the user to override the policy label authorization, so do not select any of its options.

  11. In the Audit pane of the Add Users: Audit page, ensure that all of the audit operations are set to None, and then click Next.

    The Review page appears.

    Description of ols_auth.gif follows
    Description of the illustration ols_auth.gif

  12. Ensure that the settings are correct, and then click Finish.

    The Review page lists all the authorization settings you have selected.

  13. Repeat Step 4 through Step 12 to create the following authorizations for user KPARTNER, so that she can read confidential and public data in HR.LOCATIONS.

    • Labels, Compartments And Groups: Set all four levels to the following:

      • Maximum Level: CONF (for CONFIDENTIAL)

      • Minimum Level: PUB (for PUBLIC)

      • Default Level: CONF

      • Row Level: CONF

    • Privileges: Select no privileges.

    • Audit: Set all to None.

  14. Create the following authorizations for user LDORAN, who is only allowed to read public data from HR.LOCATIONS:

    • Labels, Compartments And Groups: Set all four levels to PUB.

    • Privileges: Select no privileges.

    • Audit: Set all to None.

Step 7: Apply the ACCESS_LOCATIONS Policy to the HR.LOCATIONS Table

Next, you are ready to apply the policy to the HR.LOCATIONS table.

To apply the ACCESS_LOCATIONS policy to the HR.LOCATIONS table: 

  1. Return to the Label Security policies page by selecting the Label Security Policies link.

  2. Select the selection button for the ACCESS_LOCATIONS policy.

  3. In the Actions list, select Apply, and then click Go.

    The Apply page appears.

  4. Click Create.

    The Add Table page appears.

  5. In the Table field, enter HR.LOCATIONS.

  6. Ensure that the Hide Policy Column box is not selected.

  7. Ensure that the Enabled box is selected.

  8. Under Policy Enforcement Options, select Use Default Policy Enforcement.

    The default policy enforcement options for ACCESS_LOCATIONS are:

    • For all queries (READ_CONTROL)

    • Use session's default label for label column update (LABEL_DEFAULT)

  9. Click OK.

    The ACCESS_LOCATIONS policy is applied to the HR.LOCATIONS table.

    Description of ols_apply.gif follows
    Description of the illustration ols_apply.gif

Step 8: Add the ACCESS_LOCATIONS Labels to the HR.LOCATIONS Data

After you have applied the ACCESS_LOCATIONS policy to the HR.LOCATIONS table, you must apply the labels of the policy to the OLS_COLUMN in LOCATIONS. For the user HR (the owner of that table) to accomplish this, the user must have FULL access to locations before being able to add the data labels to the hidden OLS_COLUMN column in LOCATIONS.

Granting HR FULL Policy Privilege for the HR.LOCATIONS Table

The label security administrative user, LBACSYS, can grant HR the necessary privilege.

To grant HR FULL access to the ACCESS_LOCATIONS policy: 

  1. Return to the Label Security policies page by selecting the Label Security Policies link.

  2. Select the selection button for the ACCESS_LOCATIONS policy.

  3. Select Authorization from the Actions list, and then click Go.

    The Authorization page appears.

  4. Click Add Users.

    The Add Users page appears.

  5. Under Database Users, click Add.

    The Search and Select window appears.

  6. Select the box for user HR, and then click Select.

    The Create User page lists user HR.

  7. Click Next to display the Add Users: Levels, Compartments and Groups page, and then click Next again to display the Privileges page.

  8. Select the Bypass all Label Security checks (FULL) privilege, and then click Next.

    The Audit page appears.

  9. Click Next.

    The Review page appears.

  10. Click Finish.

    At this stage, HR is listed in the Authorization page with the other users.

    Description of ols_hr_added.gif follows
    Description of the illustration ols_hr_added.gif

  11. Exit Database Control.

Updating the OLS_COLUMN Table in HR.LOCATIONS

The user HR now can update the OLS_COLUMN column in the HR.LOCATIONS table to include data labels that will be assigned to specific rows in the table, based on the cities listed in the CITY column.

To update the OLS_COLUMN table in HR.LOCATIONS: 

  1. In SQL*Plus, connect as user HR.

    CONNECT HR
Enter password: password

    If you cannot log in as HR because this account locked and expired, log in as SYSTEM and then enter the following statement. Replace password with an appropriate password for the HR account. For greater security, do not reuse the same password that was used in previous releases of Oracle Database. See "Requirements for Creating Passwords".

    ALTER USER HR ACCOUNT UNLOCK IDENTIFIED BY password

    After you complete this ALTER USER statement, try logging in as user HR again.

  2. Enter the following UPDATE statement to apply the SENS label to the cities Beijing, Tokyo, and Singapore:

    UPDATE LOCATIONS
SET ols_column = CHAR_TO_LABEL('ACCESS_LOCATIONS','SENS')
WHERE UPPER(city) IN ('BEIJING', 'TOKYO', 'SINGAPORE');

  3. Enter the following UPDATE statement to apply the CONF label to the cities Munich, Oxford, and Roma:

    UPDATE LOCATIONS
SET ols_column = CHAR_TO_LABEL('ACCESS_LOCATIONS','CONF')
WHERE UPPER(city) IN ('MUNICH', 'OXFORD', 'ROMA');

  4. Enter the following UPDATE statement to apply the PUB label to the remaining cities:

    UPDATE LOCATIONS
SET ols_column = CHAR_TO_LABEL('ACCESS_LOCATIONS','PUB')
WHERE ols_column IS NULL;

  5. To check that the columns were updated, enter the following statement:

    SELECT LABEL_TO_CHAR (OLS_COLUMN) FROM LOCATIONS;

    The following output should appear:

    LABEL_TO_CHAR(OLS_COLUMN)
-----------------------------------------------------------------------------
CONF
PUB
SENS
PUB
PUB
PUB
PUB
PUB
PUB
PUB
SENS
 
LABEL_TO_CHAR(OLS_COLUMN)
-----------------------------------------------------------------------------
PUB
PUB
SENS
PUB
CONF
PUB
CONF
PUB
PUB
PUB
PUB
 
LABEL_TO_CHAR(OLS_COLUMN)
-----------------------------------------------------------------------------
PUB
 
23 rows selected.

    Note:

    Using the label column name (OLS_COLUMN) explicitly in the preceding query enables you to see the label column, even if it was hidden.

    If the label column is hidden, and you do not specify the label column name explicitly, then the label column is not displayed in the query results. For example, using the SELECT * FROM LOCATIONS query does not show the label column if it is hidden. This feature enables the label column to remain transparent to applications. An application that was designed before the label column was added does not know about the label column and will never see it.


Step 9: Test the ACCESS_LOCATIONS Policy

The ACCESS_LOCATIONS policy is complete and ready to be tested. You can test it by logging in to SQL*Plus as each of the three users and performing a SELECT on the HR.LOCATIONS table.

To test the ACCESS_LOCATIONS policy: 

  1. In SQL*Plus, connect as user sking.

    CONNECT sking
Enter password: password

  2. Enter the following:

    The following commands format the width of the table columns so that you can read them easier. You only need to perform this step once for the entire session (including when kpartner and ldoran log in.)

    COL city HEADING City FORMAT a25
COL country_id HEADING Country FORMAT a11
COL Label format a10

    Now enter the SELECT statement as follows:

    SELECT city, country_id, LABEL_TO_CHAR (OLS_COLUMN)
   AS Label FROM hr.locations ORDER BY ols_column;

    User sking is able to access all 23 rows of the HR.LOCATIONS table. Even though he is only authorized to access rows that are labeled CONF and SENS, he can still read (but not write to) rows labeled PUB.

    City                      Country     LABEL
------------------------- ----------- ----------
Venice                    IT          PUB
Utrecht                   NL          PUB
Bern                      CH          PUB
Geneva                    CH          PUB
Sao Paulo                 BR          PUB
Stretford                 UK          PUB
Mexico City               MX          PUB
Hiroshima                 JP          PUB
Southlake                 US          PUB
South San Francisco       US          PUB
South Brunswick           US          PUB
Seattle                   US          PUB
Toronto                   CA          PUB
Whitehorse                CA          PUB
Bombay                    IN          PUB
Sydney                    AU          PUB
London                    UK          PUB
Oxford                    UK          CONF
Munich                    DE          CONF
Roma                      IT          CONF
Singapore                 SG          SENS
Tokyo                     JP          SENS
Beijing                   CN          SENS

23 rows selected.

  3. Repeat Steps 1 and 2 for users kpartner and ldoran.

    User KPARTNER can access the rows labeled CONF and PUB:

    City                      Country     LABEL
------------------------- ----------- ----------
Venice                    IT          PUB
Utrecht                   NL          PUB
Bern                      CH          PUB
Mexico City               MX          PUB
Hiroshima                 JP          PUB
Southlake                 US          PUB
South San Francisco       US          PUB
South Brunswick           US          PUB
Seattle                   US          PUB
Toronto                   CA          PUB
Whitehorse                CA          PUB
Bombay                    IN          PUB
Sydney                    AU          PUB
London                    UK          PUB
Stretford                 UK          PUB
Sao Paulo                 BR          PUB
Geneva                    CH          PUB
Oxford                    UK          CONF
Munich                    DE          CONF
Roma                      IT          CONF
 
20 rows selected.

    User LDORAN can access the rows labeled PUB:

    City                      Country     LABEL
------------------------- ----------- ----------
Venice                    IT          PUB
Hiroshima                 JP          PUB
Southlake                 US          PUB
South San Francisco       US          PUB
South Brunswick           US          PUB
Seattle                   US          PUB
Toronto                   CA          PUB
Whitehorse                CA          PUB
Bombay                    IN          PUB
Sydney                    AU          PUB
London                    UK          PUB
Stretford                 UK          PUB
Sao Paulo                 BR          PUB
Geneva                    CH          PUB
Bern                      CH          PUB
Utrecht                   NL          PUB
Mexico City               MX          PUB
 
17 rows selected.

  4. Exit SQL*Plus.

Step 10: Optionally, Remove the Components for This Tutorial

Remove the components that you created for this tutorial.

To remove the components for this tutorial: 

  1. In Database Control, connect as user SYSTEM.

  2. Click Server to display the Server subpage.

  3. In the Security section, click Users.

  4. Select user kpartner, and then click Delete.

  5. In the Confirmation page, click Yes.

  6. Repeat Step 4 and Step 5 for users ldoran and sking.

  7. Click the Database Instance link to return to the Database home page.

  8. Click Server to display the Server subpage.

  9. In the Security section, click Roles.

  10. Select the role emp_role, and then click Delete.

  11. In the Confirmation dialog box, click Yes.

  12. Log out of Database Control, and then log back in as LABCSYS.

  13. Click Server to display the Server subpage.

  14. In the Security section, click Oracle Label Security.

  15. In the Label Security Policies page, select the ACCESS_LOCATIONS policy and then click Delete. In the Confirmation page, select the Drop column check box and then click Yes.

    Deleting the ACCESS_LOCATIONS policy also drops the OLS_COLUMN column from the HR.LOCATIONS table.

  16. Log out of Database Control.

  17. Optionally, remove Oracle Label Security.

    See Oracle Label Security Administrator's Guide for information about removing Oracle Label Security.s

Controlling Administrator Access with Oracle Database Vault

Oracle Database Vault enables you to restrict administrative access to an Oracle database. This helps you address the most difficult security problems remaining today: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty.

About Oracle Database Vault

Typically, the main job of an Oracle database administrator is to perform tasks such database tuning, installing upgrades, monitoring the state of the database, and then remedying any problems that he or she finds. In a default Oracle Database installation, database administrators also have the ability to create users and access user data. For greater security, you should restrict these activities only to those users who must perform them. This is called separation of duty, and it frees the database administrator to focus on tasks ideally suited to his or her expertise, such as performance tuning.

By restricting administrator access to your Oracle databases, Oracle Database Vault helps you to follow common regulatory compliance requirements, such as the Payment Card Industry (PCI) Data Security Standard (DSS) requirements, Sarbanes-Oxley (SOX) Act, European Union (EU) Privacy Directive, and Healthcare Insurance Portability and Accountability Act (HIPAA). These regulations require strong internal controls on access, disclosure or modification of sensitive information that could lead to fraud, identity theft, financial irregularities and financial penalties.

Oracle Database Vault provides the following ways for you to restrict administrator access to an Oracle database:

  • Group database schemas, objects, and roles that you want to secure. This grouping is called a realm, and all the components of the realm are protected. After you, the Database Vault administrator, create a realm, you designate a user to manage access to the realm. For example, you can create a realm around one table within a schema, or around the entire schema itself.

  • Create PL/SQL expressions to customize your database restrictions. You create an expression in a rule, and for multiple rules within one category, you can group the rules into a rule set. To enforce the rules within the rule set, you then associate the rule set with a realm or command rule. For example, if you wanted to prevent access to a database during a maintenance period (for example, from 10 to 12 p.m.), you can create a rule to restrict access only during those hours.

  • Designate specific PL/SQL statements that are accessible or not accessible to users. These are called command rules. A command rule contains a command to be protected and a rule set that determines whether the execution of the command is permitted. You can create a command rule to protect SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements that affect one or more database objects. You can associate a rule set to further customize the command rule.

  • Define attributes to record data such as session users or IP addresses that Oracle Database Vault can recognize and secure. These attributes are called factors. You can use factors for activities such as authorizing database accounts to connect to the database or creating filtering logic to restrict the visibility and manageability of data. To further customize the factor, you can associate a rule set with it.

  • Design secure application roles that are enabled only by Oracle Database Vault rules. After you create the secure application role in Oracle Database Vault, you associate a rule set with it. The rule set defines when and how the secure application role is enabled or disabled.

You can create these components by using either Oracle Database Vault Administrator, or by using its PL/SQL packages.

Tutorial: Controlling Administrator Access to the OE Schema

The OE schema has several tables that contain confidential data, such as the credit limits allowed for customers and other information. Order Entry tables typically contain sensitive information, such as credit card or Social Security numbers. This type of information must be restricted only to individuals whose job requires access to this information, according to Payment Card Industry (PCI) Data Security Standards (DSS).

In this tutorial, you create a realm around the OE schema, which will protect it from administrator access. However, user SCOTT needs access to the OE.CUSTOMERS table, so you must ensure that he can continue to access this data.

In this tutorial:

Step 1: Enable Oracle Database Vault

Oracle Database Vault is installed when you perform a default installation of Oracle Database. After you install it, you must register Oracle Database Vault with Oracle Database and then enable the Oracle Database Vault Account Manager user account.

Checking if Oracle Database Vault Is Enabled

You can check if Oracle Database Vault is enabled by logging in to SQL*Plus and entering the following SELECT statement. The PARAMETER column is case sensitive, so use the case shown here.

SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If it returns TRUE, then Oracle Database Vault is registered. Go to "Enabling Database Access Control for the Database Vault Account Manager Account". Otherwise, complete the registration process described in the next section.

Registering Oracle Database Vault with Oracle Database

In the registration process, Oracle Database Vault is enabled and you are prompted to create its administrative accounts.

To register Oracle Database Vault: 

  1. Stop the database, Database Control console process, and listener.

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]

      For Oracle RAC installations, shut down each database instance as follows:

      $ srvctl stop database -d db_name

    • Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  2. Enable Oracle Database Vault as follows:

    • UNIX: Run the following commands. The make command enables both Oracle Database Vault (dv_on) and Oracle Label Security (lbac_on). You must enable Oracle Label Security before you can use Database Vault.

      $ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle

    • Windows: In the ORACLE_BASE\ORACLE_HOME\bin directory, rename the oradvll.dll.dbl file to oradvll.dll. If Oracle Label Security has not been enabled, then change the name of the oralbacll.dll.dbl file to oralbacll.dll. You must enable Oracle Label Security before you can use Database Vault.

  3. Restart the database and listener. (Do not restart the Database Control console process yet.)

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> STARTUP
SQL> EXIT

$ lsnrctl start [listener_name]

      For Oracle RAC installations, restart each database instance as follows:

      $ srvctl start database -d db_name

    • Windows: Restart the database and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  4. Start Database Configuration Assistant.

    • UNIX: Enter the following command at a terminal window:

      dbca

      Typically, dbca is in the $ORACLE_HOME/bin directory.

    • Windows: From the Start menu, click All Programs. Then, click Oracle - ORACLE_HOME, Configuration and Migration Tools, and then Database Configuration Assistant.

      Alternatively, you can start Database Configuration Assistant at a command prompt:

      dbca

      As with UNIX, typically, dbca is in the ORACLE_BASE\ORACLE_HOME\bin directory.

  5. In the Welcome page, click Next.

    The Operations page appears.

  6. Select Configure Database Options, and then click Next.

    The Database page appears.

  7. From the list, select the database where you installed Oracle Database and then enter the name and password of a user who has been granted the DBA role. Click Next.

    The Database Content page appears.

  8. Perform one of the following actions:

    • If Oracle Label Security is already enabled: Select the Oracle Database Vault option, and then click Next.

    • If Oracle Label Security is not enabled: Select the Oracle Label Security option so that the Oracle Database Vault option becomes available for selection. Select the Oracle Database Vault option as well, and then click Next.

    The Oracle Database Vault Credentials page appears.

  9. Specify the name and password for the Database Vault Owner account (for example, DBVOWNER) and the Database Vault Account Manager (for example, DBVACCTMGR).

    Enter any password that is secure, according to the password guidelines described in "Requirements for Creating Passwords". Oracle Database Vault has additional password requirements, which are displayed if you try to create an incorrect password.

  10. Click Next.

    The Connection Mode page appears.

  11. Select either Dedicated Server Mode or Shared Server Mode (depending on the selection you made when you created this database), click Finish, and then click OK in the confirmation prompts.

    Database Configuration Assistant registers Oracle Database Vault, and then restarts the database instance.

  12. Exit Database Configuration Assistant.

  13. Restart the Database Control console process.

    • UNIX: Run the following command:

      $ emctl start dbconsole

    • Windows: Restart the Database Control console process (for example, OracleDBConsoleorcl if the database is named orcl) from the Services tool in the Control Panel.

Enabling Database Access Control for the Database Vault Account Manager Account

The Database Vault Account Manager account must have additional privileges to use Database Control.

To grant the necessary privileges to the Database Vault Account Manager account: 

  1. Log in to Database Control as the user SYS.

    In the Login page, enter SYS and the password assigned to SYS. Set Connect As to SYSDBA. Select Login to log in. See Oracle Database 2 Day DBA for instructions about how to start Database Control.

  2. Click Server to display the Server subpage.

  3. Under Security, select Users.

    The Users page appears.

  4. Select the Database Vault Account Manager account (for example, DBVACCTMGR).

    To quickly find DBVACCTMGR, enter DBV in the Object Name field, and then click Go.

  5. Select the DBVACCTMGR user, and in the View User page, click Edit.

    The Edit User page appears.

  6. Click Roles to display the Edit User: DBVACCTMGR page.

  7. Click Edit List.

    The Modify Roles page appears.

  8. In the Available Roles list, select the SELECT_CATALOG_ROLE role and then then click Move to move it to the Selected Roles list. Then click OK to return to the Edit User page.

  9. Click System Privileges.

  10. Click Edit List.

    The Modify System Privileges page appears.

  11. In the Available System Privileges list, select SELECT ANY DICTIONARY, and then click Move to move it to the Selected System Privileges list. Then click OK.

  12. Click Apply.

Step 2: Grant the SELECT Privilege on the OE.CUSTOMERS Table to User SCOTT

To test the tutorial later on, user SCOTT must select from the OE.CUSTOMERS table. First, you should ensure that he SCOTT account is active.

To enable user SCOTT: 

  1. In Database Control, connect as the Oracle Database Vault Account Manager account with the Normal privilege.

    After you install Oracle Database Vault, you no longer can use the administrative accounts (such as SYS and SYSTEM) to create or enable user accounts. This is because right out of the box, Oracle Database Vault provides separation-of-duty principles to administrative accounts. From now on, to manage user accounts, you must use the Oracle Database Vault Account Manager account.

    However, administrative users still have the privileges they do need. For example, user SYS, who owns system privileges and many PL/SQL packages, can still grant privileges on these to other users. However, user SYS can no longer create, modify, or drop user accounts.

  2. Click Server to display the Server subpage.

  3. Under Security, select Users.

    The Users page appears.

  4. Select the SCOTT user, and in the View User page, click Edit.

    The Edit User page appears.

  5. Enter the following settings:

    • Enter Password and Confirm Password: If the SCOTT account password status is expired, then enter a new password. Enter any password that is secure, according to the password guidelines described in "Requirements for Creating Passwords".

    • Status: Click Unlocked.

  6. Click Apply.

  7. Click Logout.

To grant user SCOTT the SELECT privilege on the OE.CUSTOMERS table: 

  1. Log in to SQL*Plus as user OE.

    sqlplus oe
Enter password: password
Connected.

  2. Grant user SCOTT the SELECT privilege on the OE.CUSTOMERS table.

    SQL> GRANT SELECT ON CUSTOMERS TO SCOTT;

Step 3: Select from the OE.CUSTOMERS Table as Users SYS and SCOTT

At this stage, both users SYS and SCOTT can select from the OE.CUSTOMERS table, because SYS has administrative privileges and because SCOTT has an explicit SELECT privilege granted by user OE.

To select from OE.CUSTOMERS as users SYS and SCOTT: 

  1. In SQL*Plus, connect as user SYS using the SYSDBA privilege

    sqlplus sys as sysdba
Enter password: password

  2. Select from the OE.CUSTOMERS table as follows:

    SELECT COUNT(*) FROM OE.CUSTOMERS;

    The following output should appear

    COUNT(*)
--------
     319

  3. Connect as user SCOTT, and then perform the same SELECT statement.

    CONNECT SCOTT
Enter password: password
Connected.

SELECT COUNT(*) FROM OE.CUSTOMERS;

    The following output should appear:

    COUNT(*)
--------
     319

Step 4: Create a Realm to Protect the OE.CUSTOMERS Table

To restrict the OE.CUSTOMER table from administrative access, you will create a realm around the OE schema.

To create a realm around the OE schema: 

  1. Start Oracle Database Vault Administrator.

    In a browser, enter the following URL:

    https://host_name:port/dva

    Replace host_name with the name of the server on which you installed Oracle Database Vault, and port with the Oracle Enterprise Manager Console HTTPS port number. In most cases, the name of the server and port number are the same as those used by Database Control.

    If you cannot start Database Vault Administrator, you may need to manually deploy it. See Oracle Database Vault Administrator's Guide for more information.

  2. In the Login to Database page, enter the following information:

    • User Name: Enter the name of the DV_OWNER or DV_ADMIN account (for example, DBVOWNER).

    • Password: Enter the password of the user whose name you entered.

    • Host: Enter the host name or IP address of the computer where you installed Oracle Database Vault, for example, myserver.us.example.com.

    • Port: Enter the port number for the database, for example, 1521.

    • SID/Service: Enter either the SID (for example, orcl) of the database, or the service (for example, myserver.us.example.com).

    The Database Instance Administration page appears.

  3. Under Database Vault Feature Administration, select Realms.

    The Realms page appears.

  4. Click Create.

    The Create Realm page appears.

  5. Enter the following information:

    • Name: OE Protections

    • Description: Realm to protect the OE schema

    • Status: Click Enabled.

    • Audit Options: Select Audit on Failure.

  6. Click OK.

    The Realms page appears, with the OE schema listed as a realm. However, it has no protected objects or authorized users yet.

    Realms page in DVA
    Description of the illustration dv_realm.gif

  7. Select the OE Protections realm and then click Edit.

    The Edit Realm page appears.

  8. Under Realm Secured Objects, click Create.

    The Create Realm Secured Object page appears.

  9. From the Object Owner list, select OE.

  10. From the Object Type list, select TABLE.

  11. In the Object Name field, enter % to specify all tables within the OE schema, and then click OK.

    The Edit Realm page appears.

  12. Under Realm Authorizations, click Create.

    The Create Realm Authorization page appears.

  13. From the Grantee list, select OE [USER], and then set the Authorization Type to Owner. Then set Authorization Rule Set to <Non Selected>.

    This authorizes the OE user to manage access to the objects within the OE schema. As an Owner, the OE user can grant or revoke realm-secured database roles, and access, manipulate, and create objects protected by the OE Protections realm.

    The Authorization Rule Set list enables to you select a rule that further controls access, such as the time the realm is in effect, and so on.

  14. Click OK to return to the Edit Realm page, and then click OK again to return to the Realms page.

  15. Do not exit Oracle Database Vault Administrator.

Step 5: Test the OE Protections Realm

Now that you have created a realm to protect the OE schema, you are ready to test it. You do not need to restart the database session, because any protections you define in Oracle Database Vault take effect right away.

To test the OE Protections realm: 

  1. Connect to SQL*Plus as user SYS using the SYSDBA privilege.

    CONNECT SYS/AS SYSDBA
Enter password: password
Connected.

  2. Try selecting from the OE.CUSTOMERS table.

    SELECT COUNT(*) FROM OE.CUSTOMERS;

    The following output should appear:

    ERROR at line 1:
ORA-01031: insufficient privileges

    The OE Protections realm prevents the administrative user from accessing the OE.CUSTOMERS table. Because you defined the OE Protections realm to protect the entire schema, the administrative user does not have access to any of the other tables in OE, either.

  3. Connect as user SCOTT.

    CONNECT SCOTT
Enter password: password
Connected.

  4. Try selecting from the OE.CUSTOMERS table.

    SELECT COUNT(*) FROM OE.CUSTOMERS;

    The following output should appear:

      COUNT(*)
----------
       319

    The OE Protections realm does not apply to user SCOTT because user OE has explicitly granted this user the SELECT privilege on the OE.CUSTOMERS table. Oracle Database Vault sets up the protections you need, but does not override the explicit privileges you have defined. SCOTT still can query this table.

Step 6: Optionally, Remove the Components for This Tutorial

After completing this tutorial, you can remove the data structures that you used if you no longer need them.

To revoke the SELECT privilege on OE.CUSTOMERS from user SCOTT: 

  1. In SQL*Plus, connect as user OE.

    CONNECT OE
Enter password: password
Connected.

  2. Revoke the SELECT privilege from user SCOTT.

    REVOKE SELECT ON CUSTOMERS FROM SCOTT;

To drop the OE Protections realm: 

  1. If you have logged out of Oracle Database Vault Administrator, log back in as the Database Vault Owner account that you created when you installed Oracle Database Vault (for example, DBVOWNER).

    See Step 1 in "Step 4: Create a Realm to Protect the OE.CUSTOMERS Table" for how to start Database Vault Administrator.

    The Administration page appears.

  2. Under Database Vault Feature Administration, click Realms.

    The Realms page appears.

  3. Select OE Protections from the list of realms, and then click Remove. Then click Yes in the Confirmation page.

  4. Log out of Oracle Database Vault Administrator.

To disable Oracle Database Vault: 

PK,PK =Aoa,mimetypePK=A>JQL:iTunesMetadata.plistPK=AYuMETA-INF/container.xmlPK=Ar%OEBPS/tdpsg_user_accounts.htmPK=AH>hOEBPS/tdpsg_auditing.htmPK=A[pTOOEBPS/cover.htmPK=Anh)l$lOEBPS/tdpsg_install_config.htmPK=A@s!++KOEBPS/tdpsg_intro.htmPK=Awgb`wOEBPS/title.htmPK=ASN!!OEBPS/preface.htmPK=AckOEBPS/index.htmPK=A|  }OEBPS/img/netmgr_profile.gifPK=AE=OEBPS/img/netmgr_encrypt.gifPK=A ϙooJOEBPS/img/ols_config.gifPK=A+ܡ0OEBPS/img/ols_dlabel2.gifPK=A^k$5MM?"OEBPS/img/ols_auth.gifPK=A>pOEBPS/img/login.gifPK=AGOEBPS/img/netmgr_adv_sec.gifPK=AחXOEBPS/img/olsag008.gifPK=AuGWV'OEBPS/img/dv_realm.gifPK=A@TOoOEBPS/img/ols_dlabel.gifPK=A[ OEBPS/img/ols_hr_added.gifPK=A_ ( -OEBPS/img/ols_apply.gifPK=As!P=K=ACOEBPS/img/ols_new_policy.gifPK=A82ddۀOEBPS/img/encrypt_cols.gifPK=A{_4OEBPS/img/ols_auth_user.gifPK=A[_#up!OEBPS/img_text/netmgr_adv_sec.htmPK=AOEBPS/img_text/ols_auth.htmPK=AC&LfaOEBPS/img_text/login.htmPK=A3S!S OEBPS/img_text/netmgr_profile.htmPK=A? OEBPS/img_text/ols_config.htmPK=Aۂ†!0OEBPS/img_text/ols_new_policy.htmPK=AvCOEBPS/img_text/ols_dlabel2.htmPK=AKOEBPS/img_text/ols_dlabel.htmPK=A"Yq>9F OEBPS/img_text/ols_hr_added.htmPK=AҜ#OEBPS/img_text/encrypt_cols.htmPK=A r8+OEBPS/img_text/olsag008.htmPK=A悔p/OEBPS/img_text/ols_apply.htmPK=A?T<.)!3OEBPS/img_text/netmgr_encrypt.htmPK=A17OEBPS/img_text/dv_realm.htmPK=A9 hIOEBPS/img_text/ols_auth_user.htmPK=AUÌ TMOEBPS/toc.ncxPK=A((XOEBPS/content.opfPK=A_ TOEBPS/dcommon/prodbig.gifPK=AY@ OEBPS/dcommon/doclib.gifPK=A5&g!gOEBPS/dcommon/oracle-logo.jpgPK=AoOEBPS/dcommon/contbig.gifPK=AZOEBPS/dcommon/darbbook.cssPK=AMά""!OEBPS/dcommon/O_signature_clr.JPGPK=APz OEBPS/dcommon/feedbck2.gifPK=A-*OEBPS/dcommon/feedback.gifPK=Aː5?"OEBPS/dcommon/booklist.gifPK=AN61#OEBPS/dcommon/cpyr.htmPK=A!:3.6OEBPS/dcommon/masterix.gifPK=AeӺ1,7OEBPS/dcommon/doccd.cssPK=A7  :OEBPS/dcommon/larrow.gifPK=A#4<OEBPS/dcommon/indxicon.gifPK=AS'">OEBPS/dcommon/leftnav.gifPK=Ahu, @OEBPS/dcommon/uarrow.gifPK=Al-OJ(COEBPS/dcommon/oracle.gifPK=A(KOEBPS/dcommon/index.gifPK=AGC MOEBPS/dcommon/bookbig.gifPK=AJV^#WOEBPS/dcommon/rarrow.gifPK=A枰pk>YOEBPS/dcommon/mix.gifPK=Ao"nR M [OEBPS/dcommon/doccd_epub.jsPK=Av I fOEBPS/dcommon/toc.gifPK=A r~$gOEBPS/dcommon/topnav.gifPK=A1FACiOEBPS/dcommon/prodicon.gifPK=A3( # lOEBPS/dcommon/bp_layout.cssPK=Ax[?:BzOEBPS/dcommon/bookicon.gifPK=Ap*c^OEBPS/dcommon/conticon.gifPK=AʍtOEBPS/dcommon/blafdoc.cssPK=A+&sOEBPS/dcommon/rightnav.gifPK=Aje88OEBPS/dcommon/oracle-small.JPGPK=Aއ{&!'OEBPS/dcommon/help.gifPK=AKd7>> OEBPS/toc.htmPK=AW. OEBPS/lot.htmPK=AmvvOEBPS/tdpsg_network_secure.htmPK=Ai I?OEBPS/tdpsg_privileges.htmPK=A,tF OEBPS/tdpsg_securing_data.htmPKPP