- About TEAM
By: Raoul Miller - Enterprise Architect
With the increased focus on security in the workplace, TEAM is seeing that more and more of our clients have the requirement to encrypt important data. The content that is managed in their WebCenter Content instance is already an important asset, so the business may see a need to encrypt some or all of that content.
Because there are different areas that can be encrypted, there has been some confusion as to how to go about this process. The following lists the three major options for data encryption within WCC and some of the pros and cons associated with each:
Transport Layer Security (TLS) for Traffic
The easiest and quickest level of encryption to deploy is SSL (Secure Sockets Layer) configuration for web traffic, JDBC connection, and LDAP queries. All of these can be configured from the WebLogic Server (WLS) console interface and require only certificate procurement and management from the client.
The next step in encryption is to encrypt some or all of the tables or columns in the database. While encryption is now available in Microsoft SQL Server 2016, this is not officially supported by Oracle and has not been tested by TEAM. For those using Oracle Database Enterprise Edition, this path requires licensing of the Advanced Security option and deployment of TDE (transparent data encryption) within the JDBC client.
While it is possible to encrypt only some of the metadata, the overhead involved with this would be quite substantial and there would be a risk of exposing newly created custom metadata. All of TEAM’s clients that use encryption have chosen to encrypt the entire metadata schema.
The ultimate step in security is to encrypt the content as well as the metadata. The only supported method for this is to store the content in the Oracle database using SecureFiles. While in theory this could be done without metadata security, to do so would be very poor practice, so this assumes that both metadata and content are to be encrypted.
The FileStore Provider within WebCenter Content (WCC) manages file storage and when content is created / submitted to the content management system, it must be tagged with a metadata field (xStorageRule) indicating where it is to be stored. The system can manage multiple file system storage rules, but only a single JDBC rule. Assignment of the storage rule is normally done either through profiles or workflow.
Clients have 3 options for storage of content:
Clients may also choose to store some (or most) content unencrypted on the file system, and another portion encrypted within the database, but WCC does not (currently) support storage of some content unencrypted in the database while other content is also encrypted in the database. Combining unencrypted storage rules for content on the file system and an encrypted storage rule for the database will allow for a “mixed” system where only that content that is required to be encrypted has the overhead.
All of the above options assume that the deployment is on-premises, or deployed on infrastructure as a service (IaaS). You can still encrypt content on hosted systems, and I will follow up on your choices for hosted systems in another post in the near future.
Please feel free to contact TEAM for all of your WebCenter Content questions, particularly those around content security, encryption, and redaction.
Want to talk at OpenWorld? Email firstname.lastname@example.org
TDE (Transparent Data Encryption)
Advanced Security on Oracle Database
100 South 5th Street, Suite 1900
Minneapolis, MN 55402
+1 651 222 8326
L1, 23 Waring Taylor Street
119 Willoughby Road
Crows Nest NSW 2065
+61 2 9805 0166