My Oracle Support Banner

ACFS Security Ignores Rules when user not part of realm (Doc ID 1583193.1)

Last updated on JANUARY 24, 2020

Applies to:

Oracle Database - Enterprise Edition - Version and later
Information in this document applies to any platform.


 Using ACFS security to protect the Oracle wallet.  

Security was set up as follows with a rule that allows only the oracle executable access to the wallet:

security admin: myadm [20038]
security group: sec-admin [1006]
oracle owner: oracle [500]
oracle group: oinstall [500]

acfsutil sec prepare -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec realm create TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -d "Wallet Realm" -e off
acfsutil sec rule create allowOracleRule -m /opt/oracle/acfsmounts/data_tde_volume -t application /u01/app/oracle/product/ -o ALLOW
acfsutil sec ruleset create TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec ruleset edit TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume -a allowOracleRule -o ANY_TRUE
acfsutil sec realm add TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -l ALL:TDEWalletRuleSet -f -r /opt/oracle/acfsmounts/data_tde_volume/orcl

Now as the oracle user if we do the following:
$> cd /opt/oracle/acfsmounts/data_tde_volume/orcl
$> ls -l
ls: .:  Permission denied

The log file in /opt/oracle/acfsmounts/data_tde_volume/orcl/.Security/log shows the following message:

08/28/13 15:10:12 UTC [uid: 500 gid: 500 Result: DENIED] Realm authorization failed for OPEN on file 'orcl'

The only way that the database can open the wallet is to disable ACFS security.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.