Oracle Exadata Database Transparent Data Encryption (TDE) secures data in Oracle’s optimized, high-performance Exadata platform designed for organizations that hande extremely large quantities of data quickly. TDE enables the organizations to encrypt sensitive data such as credit card numbers completely transparently to the application (table columns or table spaces). Once encrypted, data remains safe so that in case they are obtained by unauthorized parties it is not possible to access the clear text data. In the Exadata databases where TDE is configured, any user who has access on an encrypted table, can see the data in clear text because Oracle Exadata transparently decrypts the data for users having the necessary privileges.

Exadata TDE uses a two-tier encryption key architecture consisting of:

• A master encryption key that is used to encrypt secondary keys used for column encryption and tablespace encryption.

• One or more table and/or tablespace keys. These keys are used to encrypt one or more specific columns or the keys used to encrypt tablespaces. There is only one table key regardless of the number of encrypted columns in a table and it is stored in the data dictionary. The tablespace key is stored in the header of each data file of the encrypted tablespace.

The table and tablespace keys are encrypted using the master key. The master key is stored in an External Security Module (ESM) that can be one of the following:

• An Oracle Wallet - a secure container outside of the database. It is encrypted with a password.

• A SafeNet KeySecure - a device used to secure keys and perform cryptographic operations. Oracle Exadata interfaces to the device using a PKCS#11 library supplied by Thales.

The SafeNet KeySecure provides a secure location for storing the Exadata TDE master encryption key. SafeNet PKCS#11 provides an industry-standard interface that enables the Oracle database to communicate with the SafeNet KeySecure.

Resources and Additional Information

Securing Database Data and Demonstrating Compliance on Oracle Exadata - Solution Brief

Oracle Advanced Security, an option to Oracle Database, helps address privacy and regulatory requirements. Oracle Advanced Security provides data encryption and strong authentication services to the Oracle database, safeguarding sensitive data against unauthorized access to the network, operating system or through theft of hardware or backup media.

The secure storage of master encryption keys is the foundation of any robust security solution. The integration of SafeNet Luna hardware security modules (HSMs) with Oracle Advanced Security transparent data encryption (TDE) allows for the Oracle master encryption keys to be stored in the HSM, offering greater database security and centralized key management. The master encryption key never leaves the secure confines of the HSM. Oracle integrates with SafeNet Enterprise HSM to provide users with a powerful combined Gemalto and Oracle Database Database and File Encryption solution.

The TDE master encryption key is part of a two-tiered key architecture that protects the encryption keys used to encrypt the data. The TDE master key can be stored with minimal security, in software only in an Oracle Wallet (a PKCS#12 formatted file), or in a highly secure and auditable format in the SafeNet Enterprise HSM. This two-tiered key architecture allows for easy re-keying and high performance.

Resources and Additional Information

Learn more about SafeNet Luna HSMs

Learn more about SafeNet Data Protection On Demand

Oracle Database 12C, 18C and 19C with SafeNet Luna HSMs and SafeNet Data Protection on Demand Integration Guide

Oracle Database 11g and 12C with SafeNet Luna HSMs Integration Guide

Oracle Database TDE with SafeNet PSE HSM Integration Guide

Oracle Key Vault Integration with SafeNet Luna Network HSM 7000

Oracle Access Manager provides the core functionality of sign on, authentication, authorization, centralized policy administration, agent management, and real-time session management and auditing for remote access. Built as a 100% Java solution, Access Manager provides rich functionality, extreme scalability and high availability thereby increasing security, improving user experience and productivity, and enhancing compliance while reducing total cost of ownership. SafeNet Trusted Access raises the identity assurance level of users with multi-factor authentication solutions that protect identities and ensure that individuals are who they claim to be. SafeNet Trusted Access provides a cost-effective, innovative, unbeatable security solution that allows businesses to continue using their existing authentication systems. 

Building on Thales’s award winning authentication service, SafeNet Trusted Access combines authentication and access management in a fully integrated cloud service. Our service lets you transform your business and operate securely in the cloud by preventing data breaches, simplifying access for users, and enabling compliance.

Our customers include over 25,000 organizations and 30 million users worldwide across all industries. Partnering with Thales for the long term, they trust our innovative access management and authentication services to help them securely adopt new ways of doing business on mobile, and in the cloud.

Resources & Additional Information

SafeNet Authentication Service (SAS) is now SafeNet Trusted Access (STA).

For STA SAML integrations, please refer to STA Application Catalog. For STA RADIUS integrations, please refer to STA RADIUS Integration guides page on Thales Customer Portal.

Oracle Enterprise Single Sign-on Provisioning Gateway (ESSO-PG) enables an administrator to use an automatic provisioning to add, modify, and delete IDs and passwords for identity and access management. SafeNet Enterprise HSM (formerly Luna SA) hardware security module (HSM) integrates with ESSO to provide the logical and physical protection of the keys used in SSL/TLS encryption. SafeNet Enterprise HSM is the choice for enterprises requiring strong cryptographic security for paper-to-digital initiatives, digital signatures, DNSSEC, hardware key storage, transactional acceleration, certificate signing, code or document signing, bulk key generation, data encryption, and more.

Resources and Additional Information:

Oracle GlassFish Server is a flexible, lightweight, and production-ready open-source Java EE application server for developing and deploying Java Platform Enterprise Edition (Java EE) applications and web Java Web Services. GlassFish supports Enterprise JavaBeans, JPA, JavaServer Faces, JMS, RMI, JavaServer Pages, servlets so developers can more easily create enterprise applications that are portable, scalable, and compatible with legacy technologies.

SafeNet Enterprise and USB (formerly Luna SA and G5) HSMs integrate with Oracle GlassFish Server to provide significant performance improvements by off-loading cryptographic operations from the Server to the HSM. In addition, SafeNet HSMs help provide a secure server environment by protecting and managing the server’s high value SSL private key within a FIPS 140-2 certified hardware security module

Resources and Additional Information:

Oracle Glass Fish Server and SafeNet HSM Integration Guide

SafeNet Enterprise HSM Product Brief

Oracle HTTP Server (OHS) is the Web server component for Oracle Fusion Middleware. It provides a HTTP listener for Oracle Web Logic Server and the framework for hosting static pages, dynamic pages, and applications over the Web. OHS is designed to handle and terminate SSL connections so organizations can deliver content securely over encrypted tunnels.

SafeNet Enterprise (formerly Luna SA) HSMs integrate with Oracle HTTP Server to provide significant performance improvements by off-loading cryptographic operations from the Server to the HSM. In addition, SafeNet Enterprise HSMs help provide a secure server environment by protecting and managing the server’s high value SSL private key within a FIPS 140-2 certified hardware security module.

Resources and Additional Information

SafeNet Enterprise HSM Product Brief

Oracle Internet Directory, the Web server component for Oracle Fusion Middleware, is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of an Oracle database. Enabling SSL in Oracle Internet Directory ensures that data has not been modified, deleted, or replayed during transmission.

SafeNet Enterprise HSMs integrate with the Oracle Internet Directory Server to provide significant performance improvements by off-loading cryptographic operations from the server to the HSM. The SafeNet Enterprise HSMs also provide the highest level of security assurance by protecting and managing the server’s high value SSL private key within a FIPS 140-2 Level 3-certified hardware security module. 

With the SafeNet Enterprise HSM, Oracle Internet Directory Server users get the benefits of centralized secure storage and full lifecycle management of the private keys, improved server performance by offloading the cryptographic processing, and failover support. 

Resources and Additional Information

Oracle iPlanet Web Server delivers a secure infrastructure for hosting different web technologies and medium and large business applications. iPlanet Web Server is ideal for enterprise deployments because it can handle high throughput requirements, reduce the security vulnerabilities while maximizing uptime, and lower operational and deployment costs for enterprises.

SafeNet Enterprise (formerly Luna SA) HSM integrates via the PKCS#11 standard with Oracle iPlanet Web Server to provide significant performance improvements by off-loading cryptographic operations from the Server to the HSM. In addition, SafeNet Enterprise HSMs help provide a secure server environment by protecting and managing the server’s high value SSL private key within a FIPS 140-2 certified hardware security module.

Resources and Additional Information

SafeNet Enterprise HSM Product Brief

SafeNet Enterprise HSM with Oracle iPlanet Web Server

Oracle Advanced Security supports authentication by using digital certificates over SSL in addition to the native encryption and data integrity capabilities of these protocols. By using Oracle SSL authentication to secure communications between clients and servers, organizations can use SSL to encrypt the connection between clients and servers, and authenticate any client or server, such as Oracle Application Server 10g, to any Oracle database server that is configured to communicate over SSL.

SafeNet Enterprise (formerly Luna SA) HSMs integrate with Oracle SSL Authentication to provide significant performance improvements by off-loading cryptographic operations from the server to the HSM. In addition, SafeNet Enterprise HSMs provide the highest assurance available by protecting and managing the server’s high value SSL private key within a FIPS 140-2 Level 3-certified hardware security module.

Resources and Additional Information

Oracle WebLogic Server with SafeNet Enterprise HSM Integration Guide

Oracle Secure Global Desktop is a secure remote access solution providing access to applications running on Microsoft Windows, Linux, Oracle Solaris and mainframe servers from a wide variety of popular client devices, including Windows PCs, Macs, Linux PCs, and tablets such as the Apple iPad and Android-based devices. Oracle Secure Global Desktop allows administrators the freedom to use a single solution to provide secure access to a variety of applications and desktop environments in the data center. SafeNet Trusted Access raises the identity assurance level of users accessing Global Desktop with multi-factor authentication solutions that protect identities and ensure that individuals are who they claim to be.

Building on Thales’s award winning authentication service, SafeNet Trusted Access combines authentication and access management in a fully integrated cloud service. Our service lets you transform your business and operate securely in the cloud by preventing data breaches, simplifying access for users, and enabling compliance.

Our customers include over 25,000 organizations and 30 million users worldwide across all industries. Partnering with Thales for the long term, they trust our innovative access management and authentication services to help them securely adopt new ways of doing business on mobile, and in the cloud.

Resources and Additional Information:

SafeNet Authentication Service (SAS) is now SafeNet Trusted Access (STA).

For STA SAML integrations, please refer to STA Application Catalog. For STA RADIUS integrations, please refer to STA RADIUS Integration guides page on Thales Customer Portal.

Oracle Solaris is a enterprise UNIX operating system that  provides high performance, scalability, and reliability. Optimized to run Oracle hardware, databases, and middleware for remote access, the Pluggable Authentication Module (PAM) framework lets businesses “plug in” new authentication services without changing system entry services. SafeNet Trusted Access raises the identity assurance level of users accessing Solaris with multi-factor authentication solutions that protect identities and ensure that individuals are who they claim to be.

Building on Thales’s award winning authentication service, SafeNet Trusted Access combines authentication and access management in a fully integrated cloud service. Our service lets you transform your business and operate securely in the cloud by preventing data breaches, simplifying access for users, and enabling compliance.

Our customers include over 25,000 organizations and 30 million users worldwide across all industries. Partnering with Thales for the long term, they trust our innovative access management and authentication services to help them securely adopt new ways of doing business on mobile, and in the cloud.

Resources & Additional Information

SafeNet Authentication Service (SAS) is now SafeNet Trusted Access (STA).

For STA SAML integrations, please refer to STA Application Catalog. For STA RADIUS integrations, please refer to STA RADIUS Integration guides page on Thales Customer Portal.

For programmers who work with the Java platform, there is a set of programming interfaces for performing cryptographic operations, collectively known as the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE). Applications talk to APIs and the actual cryptographic operations are performed in configured providers.

The Sun PKCS#11 Provider does not implement cryptographic algorithms itself. Instead, it acts as a bridge between the Java JCA and JCE APIs and the native PKCS#11 cryptographic API, translating the calls and conventions between the two. This means that Java applications calling standard JCA and JCE APIs can, without modification, take advantage of algorithms offered by the underlying PKCS#11 implementations.

This enables developers to use cryptographic hardware, such as the SafeNet family of HSMs, within their Java applications. Applications which are already based on a pure software implementation of the JCE API can use SafeNet Enterprise HSM, or the PCI-E HSM (formerly Luna SA and PCI HSMs, respectively) with little or no change to their existing applications.

Resources and Additional Information

Read the Sun PKCS#11 Provider Reference Guide

Oracle Sun PKCS#11 Provider and SafeNet HSM Integration Guide

October 2018: Release 12.2 Bundle Patch 1 introduced Hardware Security Module (HSM) integration with Oracle Key Vault, where the HSM acts as a “Root of Trust” by storing a top-level encryption key for Oracle Key Vault.

Resources and Additional Information

Learn more about SafeNet Luna HSMs

Oracle Key Vault SafeNet Luna HSM Integration Guide

Oracle Key Vault Integration with SafeNet Luna Network HSM 7000

Oracle Transparent Data Encryption (TDE) provides the infrastructure necessary for implementing encryption within the database. It enables the organizations to encrypt sensitive application data such as credit card numbers on storage media completely transparent to the application (table columns or table spaces). It encrypts the data in the data files so that in case they are obtained by other parties it is not possible to access the clear text data. In the databases where TDE is configured, any user who has access on an encrypted table, can see the data in clear text because Oracle transparently decrypts the data for any user having the necessary privileges.

TDE uses a two-tier encryption key architecture consisting of:

• A master encryption key that is used to encrypt secondary keys used for column encryption and tablespace encryption.

• One or more table and/or tablespace keys. These keys are used to encrypt one or more specific columns or the keys used to encrypt tablespaces. There is only one table key regardless of the number of encrypted columns in a table and it is stored in the data dictionary. The tablespace key is stored in the header of each data file of the encrypted tablespace.

The table and tablespace keys are encrypted using the master key. The master key is stored in an External Security Module (ESM) that can be one of the following:

• An Oracle Wallet - a secure container outside of the database. It is encrypted with a password.

• A KeySecure - a device used to secure keys and perform cryptographic operations. Oracle interfaces to the device using a PKCS#11 library supplied by the KeySecure vendor.

The SafeNet KeySecure provides a secure location for storing the TDE master encryption key. SafeNet PKCS#11 provides an industry-standard interface that enables the Oracle database to communicate with the SafeNet KeySecure.

Resources and Additional Information

Oracle Database TDE with SafeNet’s KeySecure Integration Guide

Securing Oracle Database Data and Demonstrating Compliance - Solution Brief

About Oracle Cloud

Oracle's complete, integrated approach makes it easy for companies to get started in the cloud and even easier to expand as business grows. With Oracle Cloud Platform, developers, IT professionals, and business leaders to develop, extend, connect, and secure cloud applications and share data. Companies use Oracle's infrastructure as a service (IaaS) to run any workload in the cloud, encompassing compute, storage, network, container services, migration tools and more. Oracle Cloud facilitates companies’ efforts to innovate faster, increase productivity, and lower costs. Whether on-premises or in the cloud, Oracle Cloud Platform offers the same set of capabilities to give organizations the flexibility and choice they need to optimize their operations.

Solution Overview

Gemalto’s SafeNet data encryption and key management solutions work in the Oracle Cloud to allow customers to deploy client-side encryption, centralized key management and tokenization to secure their cloud workloads. Data control is a fundamental concern for organizations moving to the cloud. With SafeNet data encryption and key management solutions, organizations can keep their data safe in the cloud while demonstrating their persistent control in compliance with their regulatory obligations. 

The following are integrated Gemalto Applications / Products:

SafeNet KeySecure and SafeNet Virtual KeySecure centralizes the management of encryption keys and policies used for the protection of sensitive data in virtualized and cloud environments

SafeNet Data Protection portfolio, including:

SafeNet ProtectV

SafeNet ProtectApp

SafeNet ProtectFile

SafeNet ProtectDB

SafeNet Tokenization

Solution Brief: Secure Data-at-Rest in Oracle Cloud with Gemalto's SafeNet KeySecure and Data Protection Portfolio