|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
This appendix describes options, or additional features, that are available for Amazon RDS instances running the Oracle database engine. To enable these options, you can add them to an option group, and then associate the option group with your DB instance. For more information about working with options, see Things You Should Know About Option Groups.
The following options are currently supported for Oracle:
Oracle Enterprise Manager Database Control
Oracle XML DB
Oracle Application Express
Oracle Native Network Encryption (a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition)
Oracle Transparent Data Encryption (a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition)
Some of these options may require additional memory in order to run on your DB instance. For example, Oracle Enterprise Manager Database Control uses about 300 MB of RAM; if you enable this option for a small DB instance, you might encounter performance problems due to memory constraints.
Before you enable these options, please consider whether your DB instance has enough available memory. You can adjust the Oracle parameters so that the database requires less RAM; alternatively, you can scale up to a larger DB instance.
Oracle Enterprise Manager (OEM) Database Control is a web-based interface for Oracle database administration.
The default port number for OEM Database Control is 1158; you can accept this port number, or choose a different one, when you enable the OEM Database Control option for your DB Instance. You can then go to your web browser and begin using OEM Database Control.
The following example shows how to access OEM Database Control from your web browser. Suppose that the endpoint for your Amazon RDS instance is mydb.f9rbfa893tft.us-east-1.rds.amazonaws.com, and that you specified port 1158. The URL to access OEM Database Control would be:
The OEM Database Control login window appears, prompting you for a username and password. Enter the master username and master password for your DB instance. You can now manage your database using the OEM Database Control console.
Oracle XML DB adds native XML support to your DB instance. With the Amazon RDS XMLDB option, DB instances running the Oracle engine can store and retrieve structured or unstructured XML, in addition to relational data.
After you apply the XMLDB option to your DB instance, you have full access to the Oracle XML DB repository; no post-installation tasks are required.
The Amazon RDS XMLDB option does not provide support for the Oracle XML DB Protocol Server.
Oracle Application Express (APEX) is a development and runtime environment for web-based applications. Using APEX, developers can build applications entirely within the web browser, and customers can run these applications without installing any additional software.
Amazon RDS supports Oracle APEX version 4.1.1.
Oracle APEX consists of two main components:
A repository that stores the metadata for APEX applications and components. The repository consists of tables, indexes, and other objects that are installed in your Amazon RDS DB instance.
A listener that manages HTTP communications with APEX clients. The listener accepts incoming connections from web browsers and forwards them to the Amazon RDS instance for processing, and then sends results from the repository back to the browsers.
When you add the APEX option for your Oracle DB instance, Amazon RDS installs the APEX repository only. You must install the listener on a separate host — an Amazon EC2 instance, an on-premises server at your company, or your desktop computer.
The following sections explain how to configure the Oracle APEX repository and listener for use with Amazon RDS.
To configure the APEX repository
Create a new Amazon RDS instance running the Oracle engine, or choose an existing instance. The version number for the Oracle engine must be 188.8.131.52.v4 or newer.
Create a new option group, or select an existing option group. Apply the following options to this option group:
(If you only want to deploy the APEX runtime environment, you can remove the APEX_DEV option at a later time. This option must be present during this configuration procedure, however.)
Apply the option group to your DB instance. Amazon RDS will install the repository components in your DB instance; this process takes a few minutes to complete.
After the option group is successfully applied, you will need to change the password for the APEX_PUBLIC_USER database account and unlock it. You can do this using the Oracle SQL*Plus command line utility: Connect to your DB instance as the master user and issue the following commands:
alter user APEX_PUBLIC_USER identified by newpass; alter user APEX_PUBLIC_USER account unlock;
newpass with a password of your choice.
You are now ready to configure a listener for use with Oracle APEX. You can use either of these products for this purpose:
Oracle Application Express Listener
Oracle HTTP Server and mod_plsql
Amazon RDS does not support the Oracle XML DB HTTP server with the embedded PL/SQL gateway; you cannot use this as an APEX listener. This restriction is in line with Oracle's recommendation against using the embedded PL/SQL gateway for applications that run on the Internet.
The listener must be installed on a separate host, such as an Amazon EC2 instance or a server that you own.
The following procedure shows how to configure the Oracle Application Express Listener product. We will assume that the name of your APEX host is myapexhost.example.com, and that this host is running Linux. We will also assume that this host has the following software installed:
Java Runtime Environment (JRE) — Oracle APEX Listener is a Java application.
Oracle Net Services, to enable the APEX listener to connect to your Amazon RDS instance.
SQL*Plus, to perform administrative tasks from the command line.
To configure an APEX listener
Log in to myapexhost.example.com as root.
We recommend that you create a nonprivileged OS user to own the APEX listener installation. The following command will create a new user named apexuser:
useradd -d /home/apexuser apexuser
Now assign a password to apexuser:
Log in to myapexhost.example.com as apexuser, and download the APEX and APEX Listener installation files from Oracle:
Open the APEX file:
Create a new directory and open the APEX Listener file:
mkdir /home/apexuser/apexlistener cd /home/apexuser/apexlistener unzip ../apex_listener.184.108.40.206.11.40.zip
While you are still in the apexlistener directory, run the APEX Listener program:
java -Dapex.home=./apex -Dapex.images=/home/apexuser/apex/images -Dapex.erase -jar ./apex.war
The program will prompt you for the following:
The APEX Listener Administrator username — the default is adminlistener
A password for the APEX Listener Administrator.
The APEX Listener Manager username — the default is managerlistener
A password for the APEX Listener Administrator.
The program will print a URL that you will need in order to complete the configuration:
INFO: Please complete configuration at: http://localhost:8080/apex/listenerConfigure Database is not yet configured
Leave the APEX Listener running. It needs to continue running in order for you to use Oracle Application Express. (When you have finished this configuration procedure, you can run the listener in the background.)
From your web browser, go to the URL provided by the APEX Listener program. The Oracle Application Express Listener administration window appears. Enter the following information:
Password — the password for APEX_PUBLIC_USER. (This is the password that you specified earlier, when you configured the APEX repository.)
Connection Type— Basic
Hostname— the endpoint of your Amazon RDS instance, such as mydb.f9rbfa893tft.us-east-1.rds.amazonaws.com
SID— the DB name of your Amazon RDS instance, such as mydb
Click Apply button. The APEX administration window appears.
You will need to set a password for the APEX admin user. To do this, use SQL*Plus to connect to your DB instance as the master user and issue the following commands:
grant APEX_ADMINISTRATOR_ROLE to master; @/home/apexuser/apex/apxchpwd.sql
master with your master user name. Enter a new
admin password when the
apxchpwd.sql script prompts you.
Return to the APEX administration window in your browser and click Administration. Next, click Application Express Internal Administration. You will be prompted for APEX internal administration credentials. Enter the following information:
Password— the password you set using the apxchpwd.sql script.
Click Login. You will be required to set a new password for the admin user.
Oracle Application Express is now ready for use.
Amazon RDS supports Oracle native network encryption, a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition. With native network encryption, you can encrypt data as it moves to and from a DB instance.
To use Oracle native network encryption with a DB instance, you add the NATIVE_NETWORK_ENCRYPTION option to an option group and associate that option group with the DB instance. You should first determine if the DB instance is associated with an option group that has the NATIVE_NETWORK_ENCRYPTION option. To view the option group that a DB instance is associated, you can use the RDS console, the rds-describe-db-instance CLI command, or the API action DescribeDBInstances. Amazon RDS supports Oracle native network encryption for any DB instance class larger than db.t1.micro.
A detailed discussion of Oracle native network encryption is beyond the scope of this guide, but you should understand the strengths and weaknesses of each algorithm and key before you decide on a solution for your deployment. For information about the algorithms and keys that are available through Oracle Advanced Security, see Oracle Advanced Security in the Oracle documentation. For more information about AWS security, see Amazon Web Services: Overview of Security Processes.
The process for using Oracle native network encryption with Amazon RDS is as follows:
If the DB instance is not associated with an option group that has the network encryption option (NATIVE_NETWORK_ENCRYPTION), you must either modify an existing option group to add the NATIVE_NETWORK_ENCRYPTION option or create a new option group and add the NATIVE_NETWORK_ENCRYPTION option to it. For information about creating or modifying an option group, see Working with Option Groups. For information about adding an option to an option group, see Adding an Option to an Option Group.
Specify the NATIVE_NETWORK_ENCRYPTION option settings for the option group. For information about modifying option settings, see Modifying an Option Setting.
These settings include:
SQLNET.ENCRYPTION_SERVER–Specifies the encryption behavior when a client, or a server
acting as a client, connects to the DB instance. Allowable values are
(the default), and
indicates that the DB instance does not require traffic from the client
to be encrypted.
SQLNET.CRYPTO_CHECKSUM_SERVER–Specifies the data integrity behavior when a client, or a
server acting as a client, connects to the DB instance. Allowable
Requested (the default), and
Requested indicates that the DB instance does not
require the client to perform a checksum.
SQLNET.ENCRYPTION_TYPES_SERVER–Specifies a list of encryption algorithms used by the DB instance. The DB instance will use each algorithm, in order, to attempt to decrypt the client input until an algorithm succeeds or until the end of the list is reached. Amazon RDS uses the following default list from Oracle. You can change the order or limit the algorithms that the DB instance will accept.
RC4_256: RSA RC4 (256-bit key size)
AES256: AES (256-bit key size)
AES192: AES (192-bit key size)
3DES168: 3-key Triple-DES (168-bit effective key size)
RC4_128: RSA RC4 (128-bit key size)
AES128: AES (128-bit key size)
3DES112: 2-key Triple-DES (112-bit effective key size)
RC4_56: RSA RC4 (56-bit key size)
DES: Standard DES (56-bit key size)
RC4_40: RSA RC4 (40-bit key size)
DES40: DES40 (40-bit key size)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER–Specifies the checksum algorithm. The default is sha-1, but md5 is also supported.
List the options in the option group to ensure that you have added the NATIVE_NETWORK_ENCRYPTION option and specified the correct settings. You can view the options in an option group using the RDS console, the CLI command rds-describe-option-group-options, or the Amazon RDS API action DescribeOptionGroupOptions.
Associate the DB instance with the option group that has the NATIVE_NETWORK_ENCRYPTION option. For information about associating a DB instance with an option group, see Modifying a DB Instance Running the Oracle Database Engine.
With Oracle native network encryption, you can also specify network encryption on the client side. On the client (the computer used to connect to the DB instance), you can use the sqlnet.ora file to specify the following client settings: SQLNET.CRYPTO_CHECKSUM_CLIENT , SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT, SQLNET.ENCRYPTION_CLIENT, and SQLNET.ENCRYPTION_TYPES_CLIENT. For information, see Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle documentation.
Sometimes, the DB instance will reject a connection request from an application, for example, if there is a mismatch between the encryption algorithms on the client and on the server.
To test Oracle native network encryption , add the following lines to the sqlnet.ora file on the client:
DIAG_ADR_ENABLED=off TRACE_DIRECTORY_CLIENT=/tmp TRACE_FILE_CLIENT=nettrace TRACE_LEVEL_CLIENT=16
These lines generate a trace file on the client called
when the connection is attempted. The trace file contains information on the connection.
For more information about connection-related issues when you are using Oracle Native
Network Encryption, see About Negotiating Encryption and Integrity in the Oracle documentation.
Amazon RDS supports Oracle Transparent Data Encryption (TDE), a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition. This feature automatically encrypts data before it is written to storage and automatically decrypts data when the data is read from storage.
The TDE option is a permanent option that cannot be removed from an option group, and that option group cannot be removed from a DB instance once it is associated with a DB instance. You cannot disable TDE from a DB instance once that instance is associated with an option group with the Oracle TDE option.
Oracle Transparent Data Encryption is used in scenarios where you need to encrypt sensitive data in case data files and backups are obtained by a third party or when you need to address security-related regulatory compliance issues.
A detailed explanation about Oracle Transparent Data Encryption is beyond the scope of this guide. For information about using Oracle Transparent Data Encryption, see Securing Stored Data Using Transparent Data Encryption. For more information about Oracle Advanced Security, see Oracle Advanced Security in the Oracle documentation. For more information on AWS security, see Amazon Web Services: Overview of Security Processes.
Oracle Transparent Data Encryption supports two encryption modes: TDE tablespace encryption and TDE column encryption. TDE tablespace encryption is used to encrypt entire application tables. TDE column encryption is used to encrypt individual data elements that contain sensitive data. You can also apply a hybrid encryption solution that uses both TDE tablespace and column encryption. For information about TDE best practices, see Oracle Advanced Security Transparent Data Encryption Best Practices.
You should determine if your DB instance is associated with an option group that has the TDE option. To view the option group that a DB instance is associated with, you can use the RDS console, the rds-describe-db-instance CLI command, or the API action DescribeDBInstances.
Amazon RDS manages the Oracle Wallet and TDE master key for the DB instance. To comply with several security standards, Amazon RDS is working to implement automatic periodic master key rotation.
The process for using Oracle Transparent Data Encryption (TDE) with Amazon RDS is as follows:
If the DB instance is not associated with an option group that has the TDE option enabled, you must either create an option group and add the TDE option or modify the associated option group to add the TDE option. For information about creating or modifying an option group, see Working with Option Groups. For information about adding an option to an option group, see Adding an Option to an Option Group.
Associate the DB instance with the option group with the TDE option. For information about associating a DB instance with an option group, see Modifying a DB Instance Running the Oracle Database Engine.
If you no longer want to use the TDE option with a DB instance, you must decrypt all your data on the DB instance, copy the data to a new DB instance that is not associated with an option group with TDE enabled, and then delete the original instance. You can rename the new instance to be the same name as the previous DB instance if you prefer.
You can use Oracle Data Pump to import or export encrypted dump files; however. Amazon RDS supports the password encryption mode (ENCRYPTION_MODE=PASSWORD) for Oracle Data Pump. Amazon RDS does not support transparent encryption mode (ENCRYPTION_MODE=TRANSPARENT) for Oracle Data Pump. For more information about using Oracle Data Pump with Amazon RDS, see Oracle Data Pump.