tags:

views:

58

answers:

1
Q: 

What is the reason for using "user_Id:password" for PKCS11 when it only accepts a pin?

With respect to Oracle Database 11g transparent data encryption (TDE) with HSM, I understand that the following command is used to set the master encryption key. However, why does a user_Id have to be specified when the PKCS#11 library for the corresponding HSM only requires a PIN?

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "user_Id:password"
A:  
CK_DEFINE_FUNCTION(CK_RV, C_Login)(
                                       CK_SESSION_HANDLE hSession,
                                       CK_USER_TYPE userType,
                                       CK_UTF8CHAR_PTR pPin,
                                       CK_ULONG ulPinLen
                                   );

C_Login requires User Type as one of its input? Is that is what you are asking about?

Instead If it is UserID then the application will have provision for many users whom will have various access privileges; These access privileges will be tied to the user. Its more like many user profiles in windows. So that few users will have less access and few will have more access. This MAY be a reason.

Raj  2010-08-24 12:13:07
So how does Oracle Database TDE pass on the user_id parameter to the HSM when the PKCS#11 library only provides a C_Login function with userType rather than user_id as one of its input. Does this mean that the "user_id:password" parameter is passed together as one single string through the pPin parameter of the C_Login function or are there other functions not within the scope of the PKCS#11 library that the Oracle Database makes use of to pass the user_id parameter?
Lopper  2010-08-25 01:19:24
I think Oracle will have defined their user profiles/ID where PKCS#11's userType will be an attribute; So when you create an user profile based on the privileges defined, it would have allocated the userType for PKCS#11. My answer is just my thinking of how this must have been implemented. I wrote an application ,where the supervisor creates users and based on the user profiles, i will set HSM rights for that particular user.
Raj  2010-08-25 09:16:17
According to Oracle Database documentation however, "user_Id is the user Id created for the database using the HSM management interface. Password is the password created for the user Id using the HSM management interface". Not sure whether the HSM management interface even interacts with Oracle Database directly!!!
Lopper  2010-08-26 03:27:19

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL