My Oracle Support Banner

Problems Configuring Streams Based Replication with Oracle Label Security (OLS) (Doc ID 566836.1)

Last updated on JUNE 07, 2024

Applies to:

Oracle Database Cloud Service - Version N/A and later
Oracle Database - Enterprise Edition - Version 9.2.0.1 to 11.1.0.7 [Release 9.2 to 11.1]
Oracle Database Cloud Schema Service - Version N/A and later
Gen 1 Exadata Cloud at Customer (Oracle Exadata Database Cloud Machine) - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Information in this document applies to any platform.

Symptoms

The symptoms of the problem can be categorized because of 3 underlying architectural problems which cause streams based replication of OLS databases to fail. These are as follows:

1. The session context required by OLS is not initialized by the Streams Apply Process.

OLS stores session specific information regarding OLS policies, privileges and security labels in a special session context which is initialized at session startup time via a database logon trigger. But, for performance reasons, the streams APPLY process uses it's own special session architecture to make database changes, and these apply sessions don't run the OLS logon trigger. This means that the OLS context is not set up for the APPLY session which results in replication failures. 

2.  The Streams architecture doesn't support the replication of hidden columns.

It is possible to configure OLS so that the table column which contains the security label for the row is a hidden column. However, the streams architecture doesn't support the replication of hidden columns in either the CAPTURE or the APPLY server. This means that OLS policies which use the HIDE policy column option cannot be replicated.

3. Dynamically generated Security Labels loose their validity on the target database.

The security label column of an OLS enabled table contains a number between 1 and 9999 which maps to the character string representation of the security label contained in the table LBACSYS.lbac$lab. When using streams based replication we would simply be replicating the number contained in the security label column. If the user is using dynamically generated labels, there is no guarantee that this number would map to the same label in LBACSYS.lbac$lab for both source and destination databases.

Changes

Trying to Replicate a database configured with OLS using Streams Replication.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.