Files
skill-oracle-db-security/references/troubleshooting.md

2.4 KiB

Troubleshooting Guide

Use safe diagnostics first. Ask for exact database version, architecture, platform, product versions, recent changes, error text, and whether the issue affects production.

TDE Performance or Availability

Check:

  • Whether the workload is CPU-bound, I/O-bound, or affected by backup/compression changes.
  • Tablespace vs column encryption usage.
  • AES-NI or platform crypto acceleration availability.
  • Backup, Data Guard, RMAN, export/import, and wallet or OKV access path.
  • Wallet status and alert log messages.

Safe diagnostics:

SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
SELECT tablespace_name, encrypted FROM dba_tablespaces ORDER BY tablespace_name;

Gotchas:

  • TDE does not stop authorized SQL access.
  • Lost or unavailable keys can become an availability incident.
  • Test restore and failover, not only encryption enablement.

OKV and Wallet Integration

Check endpoint enrollment, wallet upload or migration state, network latency, TLS/certificate validity, endpoint permissions, backup of OKV, HA configuration, and separation of duties.

Gotchas:

  • Centralization improves governance but increases dependency on OKV availability and operational process.
  • Key rotation requires application and operational test windows.

AVDF and Audit Overhead

Check audit policy selectivity, audit trail growth, collection latency, collector sizing, network reliability, parser support, firewall mode, and report requirements.

Tune:

  • Start with high-value events before broad statement auditing.
  • Use monitoring mode before blocking mode.
  • Forward only meaningful alerts to the SIEM.
  • Define retention and purge processes.

Database Vault Operational Friction

Check realm authorization, command rules, factors, rule sets, application maintenance jobs, patching tasks, and emergency access.

Gotchas:

  • Overbroad realms can break DBA workflows.
  • Under-tested command rules can interrupt patching or batch jobs.
  • Break-glass access must be tightly controlled, time-bound, and audited.

Data Masking Problems

Check discovery coverage, referential integrity, masking format preservation, application constraints, uniqueness, deterministic masking needs, and downstream dependencies.

Gotchas:

  • Masking is usually irreversible.
  • Subsetting can break referential integrity if parent-child rules are incomplete.
  • Production masking is rarely the right control unless explicitly designed and approved.