Encryption Options for WebCenter Content

By: Raoul Miller – Enterprise Architect

With the increased focus on security in the workplace, TEAM is seeing that more and more of our clients have the requirement to encrypt important data. The content that is managed in their WebCenter Content instance is already an important asset, so the business may see a need to encrypt some or all of that content.

Because there are different areas that can be encrypted, there has been some confusion as to how to go about this process. The following lists the three major options for data encryption within WCC and some of the pros and cons associated with each:

Transport Layer Security (TLS) for Traffic

The easiest and quickest level of encryption to deploy is SSL (Secure Sockets Layer) configuration for web traffic, JDBC connection, and LDAP queries. All of these can be configured from the WebLogic Server (WLS) console interface and require only certificate procurement and management from the client.

Pros

  • Encryption of traffic prevents sniffing of credentials or data from the wired or wireless networks
  • Relatively quick to configure and simple to deploy

Cons

  • Does not address encryption of content or metadata
  • Requires certificate procurement and management

 

Metadata Encryption

The next step in encryption is to encrypt some or all of the tables or columns in the database. While encryption is now available in Microsoft SQL Server 2016, this is not officially supported by Oracle and has not been tested by TEAM. For those using Oracle Database Enterprise Edition, this path requires licensing of the Advanced Security option and deployment of TDE (transparent data encryption) within the JDBC client.

While it is possible to encrypt only some of the metadata, the overhead involved with this would be quite substantial and there would be a risk of exposing newly created custom metadata. All of TEAM’s clients that use encryption have chosen to encrypt the entire metadata schema.

Pros

  • Flexibility as to which tables or columns within the schema should be encrypted
  • Fully supported by Oracle
  • Provides additional security from internal threats and escalation of privileges

Cons

  • There is an encryption / decryption overhead at the server and client level (client in this case is WLS Server)
  • Management of database and certificates places additional burden on DBAs
  • Requires Enterprise Edition Oracle Database and Advanced Security licenses

 

Content Encryption

The ultimate step in security is to encrypt the content as well as the metadata. The only supported method for this is to store the content in the Oracle database using SecureFiles.  While in theory this could be done without metadata security, to do so would be very poor practice, so this assumes that both metadata and content are to be encrypted.

The FileStore Provider within WebCenter Content (WCC) manages file storage and when content is created / submitted to the content management system, it must be tagged with a metadata field (xStorageRule) indicating where it is to be stored. The system can manage multiple file system storage rules, but only a single JDBC rule. Assignment of the storage rule is normally done either through profiles or workflow.

Clients have 3 options for storage of content:

  • Encrypted in a database
  • Unencrypted in a database
  • Unencrypted on a file system (the default content storage option).

Clients may also choose to store some (or most) content unencrypted on the file system, and another portion encrypted within the database, but WCC does not (currently) support storage of some content unencrypted in the database while other content is also encrypted in the database. Combining unencrypted storage rules for content on the file system and an encrypted storage rule for the database will allow for a “mixed” system where only that content that is required to be encrypted has the overhead.

Pros

  • Encryption of content is an added layer of security
  • Performance of SecureFiles is comparable to network attached storage
  • Content is now fully encrypted in transport and at rest to the highest standards (TDE supports AES256, AES192 – default for TDE column encryption, AES128 – default for TDE tablespace encryption, and 3DES168).
  • Fully supported by Oracle

Cons

  • There is an encryption / decryption overhead at the server and client level (client in this case is WLS Server)
  • Management of database and certificates places additional burden on DBAs
  • Requires Enterprise Edition Oracle Database, Advanced Security, and Partitioning licenses
  • Setup of tablespace storage can be complex and is poorly documented

All of the above options assume that the deployment is on-premises, or deployed on infrastructure as a service (IaaS). You can still encrypt content on hosted systems, and I will follow up on your choices for hosted systems in another post in the near future.

Please feel free to contact TEAM for all of your WebCenter Content questions, particularly those around content security, encryption, and redaction.

Want to talk at OpenWorld? Email sales@teaminformatics.com

More Information

SSL Setup

http://docs.oracle.com/middleware/12211/wls/SCOVR/concepts.htm#SCOVR163

http://docs.oracle.com/middleware/12211/wls/SECMG/ssl_jsse_impl.htm#SECMG502

TDE (Transparent Data Encryption)

http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A12003

Advanced Security on Oracle Database

http://www.oracle.com/technetwork/database/options/advanced-security/index-082628.html

SecureFiles

http://www.oracle.com/technetwork/database/features/secure-files/dbfs-benchmark-367122.pdf

http://www.oracle.com/technetwork/database/perf-087187.html

https://docs.oracle.com/cloud/latest/db121/ASOAG/asotrans_other.htm#ASOAG10436

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: