Release Notes
Product Description
CipherTrust Database Protection for Oracle (CDP for Oracle) (formerly known as SafeNet ProtectDB for Oracle) provides powerful protection or sensitive data stored in the database. CDP for Oracle provides the flexibility to encrypt data at the column-level within the database, application layer, during batch-driven data transformation, and transaction processes.
This document may at times abbreviate CDP for Oracle to CDP.
Release Description
Release 8.12.0.002-001
The IngrianNAE.jar, IngrianDB.jar, and IngrianLog4j.jar files are now signed with the JCE Code Signing Certificate using the RSA SHA256 algorithm, issued by Oracle.
Note
For Oracle 19C, apart from the signed JAR files mentioned above, only the following external (third-party) unsigned JAR files are used:
gson-2.1.jar
commons-lang3-3.1.jar
commons-codec-1.6.jar
commons-collections4-4.1.jar
jaxb-api-2.1.jar
The CDP for Oracle package also includes various other JAR files, which are not used for Oracle 19C. So, you can safely remove them.
Release 8.12.0.001-001
CDP for Oracle 8.12.0.001-001 release includes bug fix.
The IngrianNAE.jar file is now signed with the JCE Code Signing Certificate using the RSA SHA256 algorithm, issued by Oracle.
Release 8.12.0
CDP for Oracle 8.12.0 release includes new features and bug fixes.
New Features
Release 8.12.0
Following are the new features added in this release:
SafeNet ProtectDB for Oracle has been rebranded to CipherTrust Database Protection for Oracle (CDP for Oracle).
Added support for persistent cache.
This feature allows you to cache symmetric keys in persistent cache. A new configuration parameter, Persistent_Cache_Enabled, is included. Use this parameter to enable/disable the persistent cache feature. By default, the feature is disabled. To enable the feature, set Persistent_Cache_Enabled=yes in the properties file.
Resolved and Known Issues
This section lists the issues that have been resolved in this release and that are known to exist in this release. The following table defines the severity of the issues listed in this section.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Resolved Issue
This table lists the issue resolved in 8.12.0.001-001.
| Issue | Severity | Description |
|---|---|---|
| CADP-11161 | H | CDP stops working and throws the following error after upgrading to OJVM patches which have restricted the Jar files signed with SHA1 and treated them unsigned.Error: JCE cannot authenticate the provider IngrianProviderExamples of such patches include 7u361, 8u351, 11.0.17-oracle, and 17.0.5-oracle. For details, refer to the respective JDK release notes. |
This table lists the issues resolved in 8.12.0.
| Issue | Severity | Description |
|---|---|---|
| PDB-3633 | H | [Local Mode]: High CPU utilization is observed when Key Manager is unreachable after symmetric key cache expiry. |
| PDB-3597 | H | [Local Mode]: If Key Manager is unreachable, the decryption calls return same decrypted values for different plaintext values. |
Known Issues
This section lists the issues known to exist in the product at the time of release.
| Issue | Severity | Description |
|---|---|---|
| PDB-3934 | H | SSL connection with CipherTrust Manager doesn't work. Workaround: — For Windows, run the following command with sysdba privilege: alter system set JAVA_JIT_ENABLED=FALSE scope=memory sid='<ORACLE_SID>';— For Linux, use the custom cert for TLS negotiation. |
| PDB-3500 | M | When group policy users are not authorized to perform decryption, the select operation on the large data types does not return the expected error/error replacement value. Workaround: For decryption, avoid using unauthorized user with group policy. |
| PDB-3493 | H | SSL connection (using TLSv1.2 protocol) between Oracle and Key Manager becomes non-responsive when the JIT compiler is enabled. This is an Oracle's known issue; for more information, refer to the Oracle document (Doc Id: 2573358.1). Workaroud: As recommended by Oracle, disable the JIT compiler by executing the following command: alter system set JAVA_JIT_ENABLED=FALSE scope=both; |
| PDB-3461 | M | Migration of columns with Number data types created without any precision or scale fails on KS when data length is ≥ 16 digits. The following error message is displayed: value too large for column. Workaround: — For non-versioned keys, manually alter the new column created — For versioned keys, manually alter the new column created |
| PDB-3377 | M | After upgrading CDP for Oracle from 6.4 to 8.x, the following error is displayed on the UserAccess page of the KeySecure Classic UI:Error: The provider has not yet been installed on this database. You must install the provider before you can map users.Workaround: — Back up the CDP metadata by executing the metadatabackup.sh or metadatabackup.bat script .These scripts are available at <installdirectory>\CDP_for_Oracle\upgradescript— Drop the existing ingrian user(metadata user) from the database and create a new ingrian user (metadata user) using the following commands: Drop user ingrian cascade;Create user ingrian identified by asdf1234 default tablespace USERS quotaunlimited on USERS;grant connect, resource to ingrian;commit;— Install CDP for Oracle. Refer to the user guide for details. Restore the CDP metadata by executing the metadatarestore.sh or metadatarestore.bat script. These scripts are available at: <installdirectory>\CDP_for_Oracle\upgradescript.Note: Back-up and restore (step 1 and 4) should only be followed if at least one table is migrated. |
| PDB-3185 | M | For Oracle 18c/19c, select query returns null value, when same column names are used in select and where clause and domain index is also created on all the mentioned columns. This is an Oracle database issue. Workaround: — Create a duplicate column with same data and definitions. — Encrypt that column with similar configuration. — Apply domain index on the column and use it in where clause. |
| PDB-570 | M | The Java heap space error is encountered while performing migration and key rotation operations with large batch size. Workaround: Use a batch size recommended in the message or use small batch size. |
| 84837 | L | Inserting or updating a file using insert or update statements on rows containing empty_clob() and empty_blob() does not work properly. Workaround: Update empty_clob() and empty_blob() with any other data value, like ABCD and then update the value. |
| 56106 | L | Before installing CDP for Oracle, if the DELETE statement includes a LONG data type in the WHERE condition, the following error appears:ORA-00997: illegal use of LONG datatypeAfter migrating a table, however, if the DELETE statement includes a LONG data type in the where condition, the following error appears: ORA-04091: table X_NEW is mutating, trigger/function may not see it.ORA-06512: at “INGRIAN.INGLONGTOCHAR”, line 12ORA-06512: at line 1Workaround: The change in errors occurs because the LONG column becomes a VARCHAR2 column in the migrated table. This error message can be avoided by creating a DELETE trigger. |
Supported Platforms and Compatibility Information
Operating Systems
CDP for Oracle is a Java based solution, hence allowing it to work with most of the operating systems. The CDP is supported on the following platforms, however, not all operating system versions combinations are explicitly validated.
AIX PowerPC
HPUX
RHEL
SUSE
openSUSE
Solaris SPARC
Windows
Oracle Linux v7.7 with UEK kernel
Oracle Linux v8.x (tested on v8.6)
Oracle Versions
CDP for Oracle is supported on 12c, 18c, 19c, and Oracle XA driver.
Note
CDP supports the following Oracle Java Versions (OJVM):
6 (minimum 1.6.0_131)
7 (minimum 1.7.0_121)
8 (minimum 1.8.0_111)
Key Manager Compatibility
KeySecure Classic: 8.12.0 and higher versions.
CipherTrust Manager: 2.1 and higher versions
