Documentation

Oracle Database | Entitle

Suggest Edits

What is Oracle Database?

Oracle Database is a relational database management system (RDBMS) developed by Oracle Corporation. It enables organizations to store, manage, and retrieve data using SQL. The system provides features for maintaining data integrity, performing backups and recoveries, controlling access, and optimizing performance. Oracle Database can be deployed on-premises or in the cloud through Oracle Cloud Infrastructure (OCI).

How is this integration useful?

Integrating Oracle Database with Entitle automates access requests and approvals for database roles and privileges, reducing manual effort and improving operational efficiency. Enforcing least-privilege access within pluggable databases (PDBs) enhances security and simplifies compliance.

Entitle can only manage pluggable databases (PDBs), which are portable collections of schemas, schema objects, and non-schema objects that appear to an application as a separate database. The Container database (CDB) includes all the data files for the PDBs contained within it.

Entitle can manage the following resource types in pluggable databases (PDBs):

  • Databases
    • Roles
    • Administrative privileges
    • System privileges
  • Tables (for visibility only)

ℹ️

Entitle supports the creation of ephemeral (temporary) accounts for this integration, enabling more secure Just-In-Time (JIT) access.

Types of privileges in Oracle

  1. Administrative privileges — Administrative privileges are designed for commonly performed administrative tasks, such as backup and recovery operations. Oracle Database provides administrative privileges tailored to specific administrative tasks, such as the SYSKM administrative privilege for performing Transparent Data Encryption tasks.

    ℹ️

    • Administrative privileges are available only when connecting to an on-premises Oracle database
    • Only users who have the SYSDBA privilege will be able to manage administrative privileges.

  2. System privileges - enable users to perform actions on schema objects. Examples of system privileges are the ability to create and update tables or tablespaces.

  3. Roles - group several privileges and roles, so that they can be granted to and revoked from users simultaneously. You must enable the role for a user before the user can use it.

  4. Object privileges - each type of object has privileges associated with it. Objects are schema objects, such as tables or indexes.

    • Table privileges (for visibility only) - enable security at the DML (data manipulation language) or DDL (data definition language) level. DML operations are DELETE, INSERT, SELECT, and UPDATE operations on tables. DDL operations are ALTER, INDEX, and REFERENCES operations on tables and views.

  5. You can grant privileges to a user in two ways using Oracle Database:

    • Grant privilege to users explicitly - for example, you can explicitly grant user Smith the privilege to insert records into the employees table.
    • Grant privilege to a role (a named group of privileges), and then grant the role to one or more users - for example, you can grant the privileges to select, insert, update, and delete records from the employees table to the role named Clerk, which in turn you can grant to users Smith and Robert.

    ℹ️

    As roles allow for easier and better management of privileges, it is recommended to grant privileges to roles rather than to specific users.

Prerequisites

  • Install Entitle’s agent using the Agent installation guide.
  • Have an Oracle Database user with SYSDBA privilege for the integration with Entitle. If the user does not have this privilege, they must at least have a DBA (Database Administrator) role.
    • If a user has the SYSDBA privilege, this privilege will surely be used in Entitle.
    • Only users who have the SYSDBA privilege will be able to manage administrative privileges.

      🚧

      Important information

      In Oracle Database, the ability to grant the SYSDBA privilege to other users is restricted. Only users with the SYSDBA privilege themselves can grant it to others:

      1. SYS users.
      2. Users who have been granted the SYSDBA privilege.
      3. Optional: GRANT_ANY_PRIVILEGE privilege. If not, the user will not be able to manage access to administrative privileges.
  • Choose one of the two operation modes supported by Entitle for Oracle Database: Standard or Mutual TLS.

    ℹ️

    TLS (Transport Layer Security) is an updated and more secure version of SSL (Secure Socket Layer).

    1. Standard: This mode supports both tcp and tcps protocols:
      1. tcp: Standard communication using TCP over IP.
      2. tcps (default): Secure communication using TCP over IP with SSL (Secure Sockets Layer).
        If tcps is chosen, only the customer authenticates the server. The server provides its certificate, which the client validates to establish a secure connection.
    2. Mutual TLS: Both the client and server authenticate each other. Each party presents and validates its certificates before establishing a secure connection, offering more security due to bidirectional authentication.

      ℹ️

      In Mutual TLS operation mode, the protocol is always tcps.

  • Access to the following information in Oracle, depending on your selected mode of operation:
    Standard mode
    • Required
      • Username
      • Password
      • Host name
      • Service (database) name
    • Optional
      • Port name
      • Protocol
      • SSL server distinguished name (DN)
        Mutual TLS mode
    • Required
      • Username
      • Password
      • Host name
      • Service (database) name
      • Key decryption password
      • Private key
      • Certificate
    • Optional
      • Port name
      • Protocol
      • SSL server distinguished name (DN)

Connect to the Oracle Database

Connect to the database using an administrative user with SYSDBA privileges or the SYS user. This connection is typically established through SQL*Plus or another SQL client.

Create a user with SYSDBA privilege or DBA role

ℹ️

Skip this step if you already have a user with the required SYSDBA privilege or a DBA role.

  1. Use the CREATE USER statement to create a new user. Replace username and password with your desired values.

  2. Grant SYSDBA privilege (recommended) or DBA role to the user:

    1. To grant the SYSDBA privilege, use the GRANT SYSDBA TO statement:

    2. To grant a DBA role to the user, use the GRANT DBA TO statement:

  3. In the lower part of the screen, you will be able to see whether the user was created and if the privilege/role was granted.

  4. It is recommended to connect to the database using the new user account to verify that everything is functioning correctly.

Additional steps to set up Mutual TLS mode

The following steps are performed using the Oracle Cloud Infrastructure (OCI) Console.

Create a key decryption password

  1. Log in to the OCI Console with a user who has admin privileges on the database

  2. Click the left-side navigation menu and click Oracle Database > Autonomous Database.

  3. Select a database from the list.

  4. In the Autonomous database details page, click Database connection.

  5. In the Database connection page under the Download client credentials section, click Download wallet.

    ℹ️

    Under the Connection strings section, you can verify that the specific database's TLS authentication is indeed Mutual TLS, as needed for the integration with Entitle.

  6. In the Download wallet page, create and confirm a password. Click Download.

Create a private key

  1. Extract the contents of the ZIP folder, then open the ewallet.pem file from the extracted files.

  2. Copy the private key for the configuration later on.

  3. Run the appropriate command below (for Linux or Windows) to convert your private key into a single-line string with escaped newline characters. This is required because JSON strings do not support literal newline characters; they must be replaced with the ASCII character \n.

    For Linux devices: 

    sed 's/$/\\n/' <key_path> | tr -d '\n'

    ℹ️

    If the sed command fails to replace the newlines with \n, you must do it manually before implementing it in the Entitle configuration.

    For Windows devices: 

    (Get-Content private.key) -join '\n'

Create a certificate

  1. Locate the certificate and copy it from the same ewallet.pem file.

  2. Apply the same process used for the private key to convert the certificate into a single-line string with escaped newline characters.

Create the integration in Entitle

  1. Log in to Entitle and go to the Integrations page.
  2. Click Add Integration.
  3. In the Application field, enter Oracle Database.
  4. In the Save on dropdown, select Entitle cloud or your hosted agent.
  5. In the connection JSON, add the following information:

    Required fields for both modes:

    1. username: Insert your Oracle Database username.
    2. password: Insert your Oracle Database password.
    3. host: Insert your instance host.
    4. service_name: Insert your service (database) name.

      ℹ️

      Verify that the service name includes PDB and not CDB, as Entitle can manage only PDBs.

    Required fields for Mutual TLS mode:

    1. key_decryption_password: Insert the password you created in the Create a key decryption password step.
    2. private_key: Insert the private key content.

      ℹ️

      Remember to replace the newlines with \n.

    3. certificate: Insert the certificate content.

      ℹ️

      Remember to replace the newlines with \n.

    Optional fields for both modes:

    1. port: Insert your port number.

      ℹ️

      If not provided, it will be set by default to 1521.

    2. protocol: Specifies the communication method used between the client and the Oracle Database server.

      Reminders

      • In Standard operation mode, you can set the protocol to either tcp or tcps. If not specified, it defaults to tcps.
      • In Mutual TLS operation mode, the protocol is always tcps and does not need to be explicitly set in the configuration.
    3. ssl_server_dn_match: Controls whether the client verifies the Distinguished Name (DN) in the server’s SSL certificate against the expected value in the connect descriptor:
      • Set to true to enforce a match between the server's DN and the service name. The connection fails if they don’t match.
      • Set to false to allow a mismatch. The connection will succeed, but an error is logged in sqlnet.log.

        ℹ️

        If not provided, it will be set by default to true.

Example connection JSON

{
	"username": "<YOUR_USERNAME>",
	"password": "<YOUR_PASSWORD>",
	"host": "<WWW.EXAMPLE.COM>",
	"service_name": "<YOUR_SERVICE_NAME>",
	"port": "<PORT_NUMBER>" {optional},
  "protocol": "tcp" or "tcps" {optional},
  "ssl_server_dn_match": "true" or "false" {optional}
}

{
  "username": "<YOUR_USERNAME>",
  "password": "<YOUR_PASSWORD>",
  "host": "<WWW.EXAMPLE.COM>",
  "service_name": "<YOUR_SERVICE_NAME>" 
  "key_decryption_password": "<YOUR_KEY_PASSWORD>",
  "private_key": "<YOUR_PRIVATE_KEY>",
  "certificate": "<YOUR_CERTIFICATE>",
	"port": "<PORT_NUMBER>" {optional},
  "ssl_server_dn_match": "true" or "false" {optional}
}
  1. Click Save.

End-user experience

  1. Log in to Entitle and click New Request.

  2. Locate the Oracle Database application. Choose the resource and the role you would like to request access to. Click Next.

  1. Choose the duration of your request and click Next.

  2. Provide a reason for your request and click Review Request.

  3. Review your request’s details and adjust if needed. Click Submit request.

  4. Your request is submitted and will be added to the My pending requests section.

  5. Once approved, you will be granted access to the specific role.

What's next?

Make sure your setup is complete by testing your integration.

Updated 6 days ago