67 lines
2.4 KiB
Markdown
67 lines
2.4 KiB
Markdown
# Troubleshooting Guide
|
|
|
|
Use safe diagnostics first. Ask for exact database version, architecture, platform, product versions, recent changes, error text, and whether the issue affects production.
|
|
|
|
## TDE Performance or Availability
|
|
|
|
Check:
|
|
|
|
- Whether the workload is CPU-bound, I/O-bound, or affected by backup/compression changes.
|
|
- Tablespace vs column encryption usage.
|
|
- AES-NI or platform crypto acceleration availability.
|
|
- Backup, Data Guard, RMAN, export/import, and wallet or OKV access path.
|
|
- Wallet status and alert log messages.
|
|
|
|
Safe diagnostics:
|
|
|
|
```sql
|
|
SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
|
|
SELECT tablespace_name, encrypted FROM dba_tablespaces ORDER BY tablespace_name;
|
|
```
|
|
|
|
Gotchas:
|
|
|
|
- TDE does not stop authorized SQL access.
|
|
- Lost or unavailable keys can become an availability incident.
|
|
- Test restore and failover, not only encryption enablement.
|
|
|
|
## OKV and Wallet Integration
|
|
|
|
Check endpoint enrollment, wallet upload or migration state, network latency, TLS/certificate validity, endpoint permissions, backup of OKV, HA configuration, and separation of duties.
|
|
|
|
Gotchas:
|
|
|
|
- Centralization improves governance but increases dependency on OKV availability and operational process.
|
|
- Key rotation requires application and operational test windows.
|
|
|
|
## AVDF and Audit Overhead
|
|
|
|
Check audit policy selectivity, audit trail growth, collection latency, collector sizing, network reliability, parser support, firewall mode, and report requirements.
|
|
|
|
Tune:
|
|
|
|
- Start with high-value events before broad statement auditing.
|
|
- Use monitoring mode before blocking mode.
|
|
- Forward only meaningful alerts to the SIEM.
|
|
- Define retention and purge processes.
|
|
|
|
## Database Vault Operational Friction
|
|
|
|
Check realm authorization, command rules, factors, rule sets, application maintenance jobs, patching tasks, and emergency access.
|
|
|
|
Gotchas:
|
|
|
|
- Overbroad realms can break DBA workflows.
|
|
- Under-tested command rules can interrupt patching or batch jobs.
|
|
- Break-glass access must be tightly controlled, time-bound, and audited.
|
|
|
|
## Data Masking Problems
|
|
|
|
Check discovery coverage, referential integrity, masking format preservation, application constraints, uniqueness, deterministic masking needs, and downstream dependencies.
|
|
|
|
Gotchas:
|
|
|
|
- Masking is usually irreversible.
|
|
- Subsetting can break referential integrity if parent-child rules are incomplete.
|
|
- Production masking is rarely the right control unless explicitly designed and approved.
|