Problems Configuring Streams Based Replication with Oracle Label Security (OLS)
Last updated on FEBRUARY 10, 2012
Applies to:Oracle Server - Enterprise Edition - Version: 184.108.40.206 to 220.127.116.11 - Release: 9.2 to 11.1
Oracle Server - Enterprise Edition - Version: 18.104.22.168 to 22.214.171.124 [Release: 9.2 to 11.1]
Information in this document applies to any platform.
The symptoms of the problem can be categorized because of 3 underlying architectural problems which cause streams based replication of OLS databases to fail. These are as follows:
1. The session context required by OLS is not initialized by the Streams Apply Process.
OLS stores session specific information regarding OLS policies, privileges and security labels in a special session context which is initialized at session startup time via a database logon trigger. But, for performance reasons, the streams APPLY process uses it's own special session architecture to make database changes, and these apply sessions don't run the OLS logon trigger. This means that the OLS context is not set up for the APPLY session which results in replication failures.
2. The Streams architecture doesn't support the replication of hidden columns.
It is possible to configure OLS so that the table column which contains the security label for the row is a hidden column. However, the streams architecture doesn't support the replication of hidden columns in either the CAPTURE or the APPLY server. This means that OLS policies which use the HIDE policy column option cannot be replicated.
3. Dynamically generated Security Labels loose their validity on the target database.
The security label column of an OLS enabled table contains a number between 1 and 9999 which maps to the character string representation of the security label contained in the table LBACSYS.lbac$lab. When using streams based replication we would simply be replicating the number contained in the security label column. If the user is using dynamically generated labels, there is no guarantee that this number would map to the same label in LBACSYS.lbac$lab for both source and destination databases.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms