Problems Configuring Streams Based Replication with Oracle Label Security (OLS)
(Doc ID 566836.1)
Last updated on SEPTEMBER 14, 2021
Applies to:Oracle Database - Enterprise Edition - Version 18.104.22.168 to 22.214.171.124 [Release 9.2 to 11.1]
Oracle Database Cloud Schema Service - Version N/A and later
Oracle Database Exadata Cloud Machine - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Information in this document applies to any platform.
The symptoms of the problem can be categorized because of 3 underlying architectural problems which cause streams based replication of OLS databases to fail. These are as follows:
1. The session context required by OLS is not initialized by the Streams Apply Process.
OLS stores session specific information regarding OLS policies, privileges and security labels in a special session context which is initialized at session startup time via a database logon trigger. But, for performance reasons, the streams APPLY process uses it's own special session architecture to make database changes, and these apply sessions don't run the OLS logon trigger. This means that the OLS context is not set up for the APPLY session which results in replication failures.
2. The Streams architecture doesn't support the replication of hidden columns.
It is possible to configure OLS so that the table column which contains the security label for the row is a hidden column. However, the streams architecture doesn't support the replication of hidden columns in either the CAPTURE or the APPLY server. This means that OLS policies which use the HIDE policy column option cannot be replicated.
3. Dynamically generated Security Labels loose their validity on the target database.
The security label column of an OLS enabled table contains a number between 1 and 9999 which maps to the character string representation of the security label contained in the table LBACSYS.lbac$lab. When using streams based replication we would simply be replicating the number contained in the security label column. If the user is using dynamically generated labels, there is no guarantee that this number would map to the same label in LBACSYS.lbac$lab for both source and destination databases.
Trying to Replicate a database configured with OLS using Streams Replication.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document