1. SQL Language Reference
  2. SQL Statements: ADMINISTER KEY MANAGEMENT to ALTER JAVA
  3. ALTER DATABASE DICTIONARY

ALTER DATABASE DICTIONARY

Purpose

To encrypt obfuscated database link passwords and use the TDE framework to manage the encryption key.

Prerequisites

  • The TDE keystore must exist. The DDL first checks that the TDE:

    • Keystore exists.

    • Keystore is open.

    • Master Encryption Key exists in the TDE keystore.

      If any of the checks fail, the DDL fails. When this happens you must create a TDE keystore and provision a TDE Master Key. For more on this refer to the Database Security Guide.

  • The instance initialization parameter COMPATIBLE must be set to 12.2.0.2.

  • You must have SYSKM privileges to execute the command.

Syntax

alter_database_dictionary::=

Description of alter_database_dictionary.eps follows
Description of the illustration alter_database_dictionary.eps

Semantics

alter_database_dictionary_encrypt_credentials::=

This DDL encrypts existing and future obfuscated sensitive information in data dictionaries, for example database link passwords stored in SYS.LINKS$.

It performs the following actions:

  • Inserts a new entry in ENC$ corresponding to SYS.LINK$.

  • It creates and initializes the SGA variable.

  • De-obfuscates obfuscated passwords in SYS.LINK$.

  • Encrypts the de-obfuscated passwords using the generated encryption key in ENC$ for SYS.LINK$.

  • Sets the flag to indicate a valid/usable dblink entry in SYS.LINK$.

alter_database_dictionary_rekey_credentials::=

This DDL is used to change the data encryption key. It is applied to SYS.LINK$ and any other tables covered under the data dictionary encryption framework.

alter_database_dictionary_delete_credentials_key::=

This DDL marks encrypted passwords unusuable. That means that current password entries in SYS.LINK$ are marked unusable. It deletes the key in ENC$ that was used to encrypt the credentials, and clears the SGA variable to prevent future encryption.