How to Secure an Oracle Database 19c: Best Practices for DBAs

Oracle Database 19c is a powerful and feature-rich relational database management system. But with power comes responsibility—especially when it comes to data security. If you're a DBA, IT administrator, or developer, securing your Oracle 19c environment should be a top priority.

In this post, we’ll walk through practical steps to harden and secure your Oracle 19c database against common threats and vulnerabilities.

Why Database Security Matters

Databases are prime targets for attackers. A breach can expose sensitive information like personal data, credit card numbers, or business secrets. Oracle 19c includes many built-in security features, but they must be properly configured.

1. Keep Your Oracle Software Updated

Always apply the latest Patch Set Updates (PSUs) and Critical Patch Updates (CPUs) from Oracle.

 Tip: Schedule regular patch cycles and test in a staging environment first.

2. Enforce Strong Password Policies

Weak passwords are the easiest way into a database. Enforce complexity and expiration policies:


ALTER PROFILE DEFAULT LIMIT
  PASSWORD_LIFE_TIME 90
  PASSWORD_REUSE_TIME 365
  PASSWORD_REUSE_MAX 5
  PASSWORD_VERIFY_FUNCTION ora12c_verify_function;

Also, disable or delete default accounts (like SCOTT) that aren’t in use.

3. Implement Least Privilege Access

  • Use roles to group privileges.

  • Never grant users more privileges than they need.

  • Avoid using GRANT ALL—it’s a red flag in audits.


GRANT SELECT, INSERT ON employees TO hr_user;

4. Enable Transparent Data Encryption (TDE)

TDE encrypts sensitive data at rest—perfect for complying with regulations like GDPR and HIPAA.


-- Create a wallet
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/ORCL/wallet' IDENTIFIED BY MyPassword;

-- Open the wallet
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY MyPassword;

-- Set the master key
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY MyPassword WITH BACKUP;

Encrypt tablespaces or individual columns as needed.

 5. Configure Oracle Database Vault

Oracle Database Vault restricts access to sensitive data—even from DBAs. You can create realms to protect objects and control access to them.

  • Prevent users from executing SELECT on HR tables unless authorized.

  • Enforce separation of duties.

This feature requires extra licensing but adds strong internal security.

6. Monitor and Audit Activities

Enable Oracle Unified Auditing to log database activities:


AUDIT SELECT ON hr.employees BY hr_user;

You can also use tools like:

  • Oracle Audit Vault

  • Oracle Enterprise Manager

  • SIEM solutions (Splunk, ELK)

Regularly review logs and alerts for suspicious activities.

7. Use Network Encryption and Firewalls

Secure communication channels using Oracle Native Network Encryption or SSL/TLS.

Edit sqlnet.ora to enforce encryption:


SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)

Restrict database access via:

  • Firewalls and VPCs

  • Database listener restrictions in listener.ora

8. Disable Unused Features and Services

The more features enabled, the bigger your attack surface. Disable or remove:

  • Unused database components

  • Unused ports

  • Unused listener endpoints

You can check what's installed using:


SELECT comp_name, status FROM dba_registry;

 9. Regular Backups and Recovery Testing

A secure database is also one that can be restored. Use RMAN to take encrypted backups and regularly test your restore process.


RMAN> BACKUP DATABASE PLUS ARCHIVELOG;

Encrypt backup files for added security:


CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION ALGORITHM 'AES256';

10. Use Security Tools and Automation

Oracle 19c comes with tools that can help:

  • Data Masking and Subsetting for test environments

  • Oracle Label Security for row-level access control

  • SQL Developer Security Assessment Tool

Final Thoughts

Securing Oracle Database 19c isn’t a one-time job—it’s a continuous process. Start with these essentials and evolve your strategy as threats change. A proactive approach to database security not only protects your data but also your organization’s reputation and compliance posture.

Comments

Post a Comment

Popular posts from this blog

How to Solve - "WAIT FOR EMON PROCESS NTFNS"

Event Monitor Process in short called as EMON is generally used by oracle to send notification. Often applications uses Database Change Notification process also called as DBCN to be aware of changes in the database, based on these notifications they take further actions. Often clients subscribe to the database and notifications are send as callback to them. In some cases you will notice database sessions are showing wait event "WAIT FOR EMON PROCESS NTFNS" and it can even make your database un-responsive. One observation can be these processes are taking more CPU (may not in be in all cases). As stated EMON process deals with database notification and it's spawn and gets down itself and Administrators have no control on theses processes. Anyone can go through oracle documents to read more EMON functioning process.  EMON uses oracle advanced queues and database queue notifications into them and EMON process these notifications to clients based on their subscriptions. In s...
Read more

Query Regression - "OR" Transformation Oracle 19c

Recently while upgrading Oracle Database from version 12.1 to 19.10 found there were couple of queries which was running slow post upgrade. Usually these type of behavior is seen while upgrading to newer version and oracle provide various ways to fix them. The difference between good and bad plan was an introduction of  "MERGE JOIN CARTESIAN" (aka MJC) and that's in where regressed query in 19c taking most of the time. MJC sometimes works for queries but in this case it was clearly not helping.  We had following options here:     1. Copy the profile from 12c to 19c database and it worked, but the problem was not just to specific query but with many similar query. This means profile option is not very attractive in this case.     2. We also tried running query with OFE 12.1 to use the same optimizer features as previous version and query behaves well. Though this option can't be placed as we need to use 19c OFE and can be placed only for testing purpose. ...
Read more

Error Processing Request. - Oracle APEX Post upgrade (Invalid WWV_FLOW_SESSION_RAS)

There would be occasions where you would upgrade your oracle database which is hosting your APEX and post upgrade you get error while opening APEX URL " Error Processing Request Contact your application administrator " This looks very strange as you have just upgraded only database. Database version and APEX version are compatible. For Argument lets say both are on 19c.  Now since UI doesn't give detailed information about the error you would need to get to backend oracle database and query view apex_debug_messages.     select * from apex_debug_messages; Looking at the results of this view you would get the clue of the error in this case it was:      ORA-04063 package body APEX_190100.WWV_FLOW_SESSION_RAS has error This means this package body has problem and looking at the status of this body it's found to be invalid and when you try to compile it get following error      alter package APEX_050100.WWV_FLOW_SESSION_RAS compile body;  ...
Read more