Securing Oracle Database with HashiCorp Vault Enterprise
Executive Summary
Oracle provides many security options within its database framework, but when organizations start to scale their infrastructure, these options can quickly become complicated and hard to manage. HashiCorp Vault provides a centralized way of managing security within a larger, scaled environment. The theme of this paper is aimed at providing organizations a view into how HashiCorp Vault can be installed and configured against a single Oracle database and then expanded out to multiple databases from a single interface.
Installation
The installation process outlined here is for the installation of HashiCorp Vault using the pre-compiled binary. For further installation instructions, refer to the online documentation at https://www.vaultproject.io/docs/install.
To install HashiCorp Vault, download the pre-compiled binary for the platform where it is going to run. In this case, the platform will be on Oracle Enterprise Linux (x86-64).
- Download the binary set for HashiCorp Vault (Open Source) (here).
- After obtaining the zip file, unzip the zip file into any directory where HashiCorp Vault will run.
$ unzip vault_1.5.2_linux_amd64.zip -d {{ directory }} - Update the $PATH environment variable to specify the location of the HashiCorp Vault binary. If wanting to manage HashiCorp Vault from the command line, execute the following:
$ export PATH={{ directory }}:$PATH - Verify the installation of HashiCorp Vault. Using the help command will produce output that will give you commands and options used by HashiCorp Vault.
$ vault -h
Configure Oracle Database
To secure Oracle Database with HashiCorp Vault, some minimal items need to be established. One of these items is a dedicated user that will act as the primary user required for HashiCorp Vault to work against the database. This user will also be known as the “vault root” user.
Within an Oracle Pluggable Database (PDB), the Vault user needs to be created. Example 1 shows what the vault root user should look like. This user will not have any database objects and will only log in to the Oracle Pluggable Database and managed secrets for other users and service accounts.
Example 1: Vault Root User Creation
CREATE USER VAULTADMIN
IDENTIFIED BY {{ Password }}
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
QUOTA UNLIMITED ON USERS
ACCOUNT UNLOCK;
GRANT CONNECT TO VAULTADMIN;
GRANT RESOURCE TO VAULTADMIN;
GRANT CREATE SESSION TO VAULTADMIN;
GRANT SELECT ANY DICTIONARY TO VAULTADMIN;
GRANT SELECT ANY TABLE TO VAULTADMIN;
GRANT UNLIMITED TABLESPACE TO VAULTADMIN;
GRANT ALTER USER TO VAULTADMIN;
Note: HashiCorp Vault does not support the use of a common user (C##), preventing a user in the Container Database from being used. If container database support is needed, the SYS or SYSTEM user needs to be configured as…
Submit Your Info to Continue Reading
Table of Contents
Executive Summary
Installation
Configure Oracle Database
Configure HashiCorp Vault
Start HashiCorp Vault
Initialize HashiCorp Vault
Open HashiCorp Vault
Providing a License Key
Oracle Plug-In for HashiCorp Vault
Pre-Requisites
Define a Plug-in Directory
Download the Oracle Plug-In
Registering the Oracle Plug-In
Find the SHASUM
Write to Vault
Validating the Plug-In
Adding Credentials
Connection
Get Password