SYNCHRONIZATION OF SECRET KEYS BETWEEN MULTIPLE SERVER INSTANCES

The present disclosure relates to computer-implemented methods, software, and systems for the replication of secret keys between server nodes. Keys for encryption and decryption are persisted in a log file on a first database hosted on a primary server. The log file comprises data for executed database transactions at the first database and key management operations at a first key store. In response to triggering a synchronization between the primary server and a secondary server, a set of sequential entries of the log file are replayed at the secondary server from the first database. An execution of a transaction is replicated at a secondary database at the secondary server based on data for an entry at the log file and a key management operation associated with a key at the first key store that is persisted in another entry of the log file is replicated.

Integrated Application Server and Data Server Processes with Matching Data Formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure. 1. A computer-implemented method comprising:storing data from an application operating on an application server in an application format defined by an application custom data type and an application custom data structure in a database operating on a database server, the database further storing other data in a database format that is different from the application format;retrieving the data from the database in response to a request to access the data;storing the data from the database in a shared memory;accessing the data from the shared memory for use in the application;receiving the application custom data structure in the database;transforming the other data stored in the database from the database format to the application format using the application custom data structure processed by an in-memory database engine; andsending the transformed other data from the database to the shared memory in the application format.2. The method of wherein the application server and the database server are virtual machines.3. The method of wherein the shared memory is accessible by both the application server virtual machine and the database ...

FILE-BASED TRANSPORT OF TABLE CONTENT

A system includes reception of a configuration set definition file defining the structure of one or more customizing tables of a software application, reception of a configuration data file including data for the one or more customizing tables, and, during activation of the software application in a run-time system, generation of the one or more customizing tables based on the configuration set definition file, generation of a service to access the configuration data file, and population of the one or more customizing tables with data of the configuration data file. 1. A system comprising:a memory storing processor-executable process steps; and receive a configuration set definition file defining the structure of one or more customizing tables of a software application;', 'receive a configuration data file including data for the one or more customizing tables; and', 'during activation of the software application in a run-time system:', 'generate the one or more customizing tables based on the configuration set definition file, generate a service to access the configuration data file, and populate the one or more customizing tables with data of the configuration data file., 'a processor to execute the processor-executable process steps to cause the system to2. A system according to claim 1 , wherein the processor is further to execute the processor-executable process steps to cause the system to:receive a request to read data from the configuration data file from a user interface application;in response to the request, execute the service to deserialize the data into a temporary table; andtransmit the data of the temporary table to the user interface application.3. A system according to claim 2 , wherein the processor is further to execute the processor-executable process steps to cause the system to:receive a second request to update the transmitted data;in response to the second request, execute the service to serialize the updated data into the configuration data ...

Generic layer for virtual object resolution

Systems and techniques to derive virtual objects at run-time from persistencely stored objects. In general, in one implementation, the technique includes receiving a request for a target object from a requesting application. It is determined whether a delta link is associated with the target object. The delta link includes a location of the target object and information describing a desired difference between the target object and a derived object to be returned to the requesting application. The target object is located and a derived object is generated from the target object and the information in the delta link. The derived object is then returned to the requesting application. The target object, and derived object, may include a number of elements. The elements may be name-value pairs, or “properties”, or a number of child objects in an object hierarchy.

DATABASE LEVEL CONTAINERS

A system, a method, and a computer program product for deployment of objects are disclosed. Using a deployment infrastructure of a database system, a deployment container for deployment of at least one object at runtime of an application is generated. The container includes at least one artifact for the object and a container schema indicative of at least one dependency associated with the object. At least one deployment privilege is associated based on the container schema with the artifact for the object. The artifact of the deployment container is deployed based on the associated deployment schema during runtime of the application. The container can be an isolated container and an access privilege to an object can be requested based on a synonym for deployment purposes. 1. A computer-implemented method , comprising:generating, using a deployment infrastructure of a database system, a deployment container for deployment of at least one object at runtime of an application, the container including at least one artifact for the at least one object and a container schema indicative of at least one dependency associated with the at least one object;associating, based on the container schema, at least one deployment privilege with the at least one artifact for the at least one object; anddeploying, based on the associated deployment schema, the at least one artifact of the deployment container during runtime of the application;wherein the at least one of the generating, the associating, and the deploying is performed by at least one processor of at least one computing system.2. The method according to claim 1 , wherein the at least one artifact represents a target state of the at least one object during runtime of the application claim 1 , wherein the artifact specifies a view definition of the at least one object in the target state.3. The method according to claim 1 , wherein the artifact includes at least one of the following: a data definition language artifact ...

Integrated application server and data server processes with matching data formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Secure Database Featuring Separate Operating System User

Embodiments manage access to cryptography keys for database data, within a secure key store of a local key server owned by a new (security) operating system (OS) user separate from an original default OS user. Existing principles governing distinct OS user access privileges engrained within the OS itself, are leveraged to preclude the default OS user from accessing files of the new security OS user. Embodiments thus segregate the right to read secure cryptography keys of a secure key store, from the right to administer database installation on the OS level. While the original default OS user retains access to the encrypted data, the new security OS user now owns the cryptography key necessary to decrypt that database data. Thus, the default OS user is denied enough information to unlock the database data, enhancing its security. Embodiments are particularly useful for promoting data security in cloud setups and multi-tenant databases.

Integrated Application Server and Data Server Processes with Matching Data Formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Integrated application server and data server processes with matching data formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Integrated Application Server and Data Server Processes with Matching Data Formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure. 1. A computer-implemented method comprising:storing data from an application operating on an application server in an application format defined by an application custom data type and an application custom data structure in an in-memory database operating on a database server, the database server further comprising a hard disk drive storing other data in a database format that is different from the application format;retrieving the data from the in-memory database in response to a request to access the data;storing the data from the in-memory database in a shared memory;accessing the data from the shared memory for use in the application;receiving the application custom data structure in the in-memory database;transforming the other data stored in the hard disk drive from the database format to the application format using the application custom data structure processed by an in-memory database engine; andsending the transformed other data from the database to the shared memory in the application format.2. The method of wherein the application server and the database server are virtual machines.3. The method of wherein the shared ...

Integrated application server and data server processes with matching data formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Managing user-controlled security keys in cloud-based scenarios

A system for managing user-controlled security keys in cloud-based scenarios is provided. In some implementations, the system performs operations comprising receiving an information request from a user device via a network, and generating a database query based at least in part upon the information request. The operations can comprise generating a request for a secret key for decrypting encrypted data when the database query requests the encrypted data and/or generating a request for a secret key for encrypting data when the database query requests to encrypt data. The operations can also comprise providing the request to a security key management entity via a network, receiving secret key information from the security key management entity via the network, and using the secret key information to form decrypted data or encrypted data. Related systems, methods, and articles of manufacture are also described.

Integrated application server and data server processes with matching data formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

System and method for unlocking an encryption key chain without compromising security

The system described herein provides for storing the databases and encryption keys for decrypting the data in the databases into two separate partitions. In an embodiment, the first partition includes the databases while the second partition includes a configuration database and a payload database. The payload database stores a data encryption key for decrypting the data stored in the databases. The payload database is encrypted and may be decrypted using a body encryption key. The body encryption key itself is encrypted twice. In the first instance a key encryption key is generated and in the second instance a second access key is generated. The key encryption key or the second access key may be used to decrypt the body encryption key. The second access key is stored in a secure location, to be retrieved in situations when the key encryption key is inaccessible.

Database integration with an external key management system

The present disclosure involves systems, software, and computer implemented methods for database integration with an external key management system. One example method includes receiving, by a database system, a key encryption key from an external key management system external to the database system that is used to encrypt a data encryption key used to encrypt database data. The data encryption key is obtained, by the database system, using the key encryption key. Encrypted database data is decrypted, by the database system and using the data encryption key, to obtain decrypted database data before performing an operation on the decrypted database data. The database system determines that the external key management system has performed an operation on the key encryption key. In response to determining that the external key management system has performed the operation on the key encryption key, the database system modifies operation of the database system.

File-based transport of table content

A system includes reception of a configuration set definition file defining the structure of one or more customizing tables of a software application, reception of a configuration data file including data for the one or more customizing tables, and, during activation of the software application in a run-time system, generation of the one or more customizing tables based on the configuration set definition file, generation of a service to access the configuration data file, and population of the one or more customizing tables with data of the configuration data file.

Integrated Application Server and Data Server Processes with Matching Data Formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure. 1. A computer-implemented method comprising:storing data from an application operating on an application server, in an application format defined by an application custom data type and an application custom data structure, in a database operating on a database server;storing, in a database persistent storage, other data in a database format that is different from the application format;retrieving the data from the database in response to a request to access the data;receiving the application custom data structure in the database;transforming the other data stored to an intermediate format using the application custom data structure processed by a database service layer to translate generic access logic into a specific dialect of structured query language (SQL); andfurther transforming the other data in the intermediate format, into the application format.2. The method of wherein storing data from the application operating on the application server comprises:storing the data on the application server operating as a first virtual machine, in the database operating on the database server as a second virtual machine.3. The method of ...

DATABASE INTEGRATION WITH AN EXTERNAL KEY MANAGEMENT SYSTEM

The present disclosure involves systems, software, and computer implemented methods for database integration with an external key management system. One example method includes receiving, by a database system, a key encryption key from an external key management system external to the database system that is used to encrypt a data encryption key used to encrypt database data. The data encryption key is obtained, by the database system, using the key encryption key. Encrypted database data is decrypted, by the database system and using the data encryption key, to obtain decrypted database data before performing an operation on the decrypted database data. The database system determines that the external key management system has performed an operation on the key encryption key. In response to determining that the external key management system has performed the operation on the key encryption key, the database system modifies operation of the database system.

Integrated Application Server and Data Server Processes with Matching Data Formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure. 1. A computer-implemented method comprising:storing data from an application operating on an application server in an application format defined by an application custom data type and an application custom data structure in a database operating on a database server, the database server further comprising a hard disk drive storing other data in a database format that is different from the application format;retrieving the data from the database in response to a request to access the data;receiving the application custom data structure in the database;transforming the other data stored in the hard disk drive from the database format to the application format using the application custom data structure processed by a database engine; andsending transformed other data from the database in the application format.2. The method of wherein the application server and the database server are virtual machines.3. The method of wherein the shared memory is accessible by both the application server virtual machine and the database server virtual machine.4. The method of wherein the application server virtual machine and the database server ...

Configuration modeling with objects

A computer-implemented method, computer program product and system for configuration modeling with objects are disclosed. A base configuration of an application is modeled, to generate a configuration model that specifies parameters, types, structures, and boundary conditions of the base configuration of the application. The configuration model is stored in a database repository as a repository object that can be activated with configuration data. One or more extensions to the base configuration is modeled as one or more configuration model extensions. The one or more configuration model extensions are stored as repository objects linked to the repository object representing the configuration model.

Integrated Application Server and Data Server Processes with Matching Data Formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

KEY MANAGEMENT CONFIGURATIONS

A method, a system, and a computer program product for performing key management configurations. One or more encryption keys for encrypting one or more data payloads for accessing one or more databases are received. The received encryption keys are compared to a plurality of encryption keys associated with the databases. Based on the comparison, a configuration of at least one database is changed using the received encryption keys. The changed configuration is stored. 1. A computer-implemented method , comprising:receiving one or more encryption keys for encrypting one or more data payloads for accessing one or more databases;comparing the one or more received encryption keys to a plurality of encryption keys associated with the one or more databases;changing, based on the comparing, a configuration of at least one database in the one or more databases using the received one or more encryption keys; andstoring the changed configuration.2. The method according to claim 1 , wherein the changing the configuration of the at least one database includes adding the one or more received encryption keys to the plurality of encryption keys.3. The method according to claim 2 , wherein the adding includes storing one or more key-value settings associated with the one or more received encryption keys.4. The method according to claim 1 , wherein the changing the configuration of the at least one database includes deleting the one or more received encryption keys from the plurality of encryption keys.5. The method according to claim 1 , wherein the changing the configuration of the at least one database includes updating one or more encryption keys in the plurality of encryption keys using the one or more received encryption keys.6. The method according to claim 5 , wherein the updating includes updating one or more stored key-value settings associated with the one or more updated encryption keys.7. The method according to claim 1 , wherein at least one of the one or more received ...

Integrated application server and data server processes with matching data formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

COLUMN PROTECTION

Methods, systems, and apparatus, including computer program products, are provided for configuring access controls to a database. In one aspect there is provided a method. The method may include receiving, from a first user, a table declaration for creating a database table in a database; generating, based on the table declaration, the database table; receiving, from the first user, a specification of one or more access mechanisms that have a privilege to access the database table; receiving a designation of at least one column in the database table as a protected column and one or more users who have a privilege to access the content of the protected column; and providing control over access to the content of the protected column based at least in part on the specification of the one or more access mechanisms and the designation of the at least one column and the second user.

Generic layer for virtual object resolution

Systems and techniques to derive virtual objects at run-time from persistencely stored objects. In general, in one implementation, the technique includes receiving a request for a target object from a requesting application. It is determined whether a delta link is associated with the target object. The delta link includes a location of the target object and information describing a desired difference between the target object and a derived object to be returned to the requesting application. The target object is located and a derived object is generated from the target object and the information in the delta link. The derived object is then returned to the requesting application. The target object, and derived object, may include a number of elements. The elements may be name-value pairs, or "properties", or a number of child objects in an object hierarchy.

Integrated application server and data server processes with matching data formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Integrated Application Server and Data Server Processes with Matching Data Formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Key management configurations

A method, a system, and a computer program product for performing key management configurations. One or more encryption keys for encrypting one or more data payloads for accessing one or more databases are received. The received encryption keys are compared to a plurality of encryption keys associated with the databases. Based on the comparison, a configuration of at least one database is changed using the received encryption keys. The changed configuration is stored.

Database level containers

A system, a method, and a computer program product for deployment of objects are disclosed. Using a deployment infrastructure of a database system, a deployment container for deployment of at least one object at runtime of an application is generated. The container includes at least one artifact for the object and a container schema indicative of at least one dependency associated with the object. At least one deployment privilege is associated based on the container schema with the artifact for the object. The artifact of the deployment container is deployed based on the associated deployment schema during runtime of the application. The container can be an isolated container and an access privilege to an object can be requested based on a synonym for deployment purposes.

Secure database featuring separate operating system user

Embodiments manage access to cryptography keys for database data, within a secure key store of a local key server owned by a new (security) operating system (OS) user separate from an original default OS user. Existing principles governing distinct OS user access privileges engrained within the OS itself, are leveraged to preclude the default OS user from accessing files of the new security OS user. Embodiments thus segregate the right to read secure cryptography keys of a secure key store, from the right to administer database installation on the OS level. While the original default OS user retains access to the encrypted data, the new security OS user now owns the cryptography key necessary to decrypt that database data. Thus, the default OS user is denied enough information to unlock the database data, enhancing its security. Embodiments are particularly useful for promoting data security in cloud setups and multi-tenant databases.

Integrated application server and data server processes with matching data formate

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Integrated application server and data server processes with matching data formats

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

Software logistics for pattern-based applications

Methods and apparatus including computer program products implement techniques for developing and deploying applications using configurable patterns. Configuration data is received for a pattern, and the configuration data is stored in a design store. The pattern defines an arrangement of user interface elements and specifies predefined actions that can be performed using the user interface elements. The configuration data specifies associations between one or more of the user interface elements or one or more objects in a back-end system. The configuration data is transferred from the design store to a design time repository, and the application is deployed corresponding to the configuration data.

CONFIGURATION MODELING WITH OBJECTS

A computer-implemented method, computer program product and system for configuration modeling with objects are disclosed. A base configuration of an application is modeled, to generate a configuration model that specifies parameters, types, structures, and boundary conditions of the base configuration of the application. The configuration model is stored in a database repository as a repository object that can be activated with configuration data. One or more extensions to the base configuration is modeled as one or more configuration model extensions. The one or more configuration model extensions are stored as repository objects linked to the repository object representing the configuration model.

MANAGING USER-CONTROLLED SECURITY KEYS IN CLOUD-BASED SCENARIOS

A system for managing user-controlled security keys in cloud-based scenarios is provided. In some implementations, the system performs operations comprising receiving an information request from a user device via a network, and generating a database query based at least in part upon the information request. The operations can comprise generating a request for a secret key for decrypting encrypted data when the database query requests the encrypted data and/or generating a request for a secret key for encrypting data when the database query requests to encrypt data. The operations can also comprise providing the request to a security key management entity via a network, receiving secret key information from the security key management entity via the network, and using the secret key information to form decrypted data or encrypted data. Related systems, methods, and articles of manufacture are also described. 1. A system comprising:at least one hardware data processor; and generating, at a database server, a request for a secret key for decrypting encrypted data when a database query requests the encrypted data;', 'providing, by the database server, the request to a security key management entity via a network;', 'receiving, by the database server, secret key information from the security key management entity via the network; and', 'decrypting, at the database server, the encrypted data using the secret key information to form decrypted data., 'at least one memory storing instructions which, when executed by the at least one data processor, result in operations comprising2. The system of claim 1 , wherein the operations further comprise:generating, at the database server, a second request for a secret key for encrypting unencrypted data when the database query requests to encrypt the unencrypted data; andencrypting, at the database server, the unencrypted data using the secret key information to form second encrypted data when the database query requests to encrypt ...

INTEGRATED APPLICATION SERVER AND DATA SERVER PROCESSES WITH MATCHING DATA FORMATS

In one embodiment, the present invention includes a computer-implemented method comprising storing data in an application using an application custom data type and application custom data structure. The data is stored in a database using the application custom data type and the application custom data structure. In one embodiment, a request is sent to access the data from the application to the database. The data is retrieved from the database in response to the request in the application custom data type and the application custom data structure. In one embodiment, the data is sent from the database to a shared memory in the application custom data type and the application custom data structure and the data is retrieved by the application from the shared memory in the application custom data type and the application custom data structure.

SYSTEM AND METHOD FOR UNLOCKING AN ENCRYPTION KEY CHAIN WITHOUT COMPROMISING SECURITY

The system described herein provides for storing the databases and encryption keys for decrypting the data in the databases into two separate partitions. In an embodiment, the first partition includes the databases while the second partition includes a configuration database and a payload database. The payload database stores a data encryption key for decrypting the data stored in the databases. The payload database is encrypted and may be decrypted using a body encryption key. The body encryption key itself is encrypted twice. In the first instance a key encryption key is generated and in the second instance a second access key is generated. The key encryption key or the second access key may be used to decrypt the body encryption key. The second access key is stored in a secure location, to be retrieved in situations when the key encryption key is inaccessible. 1. A computer-implemented method comprising:executing, by one or more computing devices, a procedure by a database management system (DBMS) attempting to access a database storing encrypted data, wherein the database resides in a first partition of a bifurcated computing system;executing, by the one or more computing devices, a call to a local secure store (LSS) to access a data encryption key to decrypt the encrypted data in the database, in response to the procedure's attempt to access the database, wherein the LSS resides in a second partition of the bifurcated computing system and wherein the first and second partition are visually isolated from each other;querying, by the one or more computing devices, a configuration database in the LSS to retrieve a key encryption key for accessing a payload database storing the data encryption key;accessing, by the one or more computing devices, the payload database using the key encryption key;retrieving, by the one or more computing devices, the data encryption key from the payload database;transmitting, by the one or more computing devices, the data encryption ...

Native multi-tenancy for database system

Systems and methods include creation of a first instance of a tenant object in a database instance, association of the first instance of the tenant object with a first plurality of database artifacts including first data associated with the first instance of the tenant object, creation of a second instance of the tenant object in the database instance, association of the second instance of the tenant object with a second plurality of database artifacts including second data associated with the second instance of the tenant object, and reception and response to queries on the first data associated with the first instance of the tenant object and to queries on the second data associated with the second instance of the tenant object.

Native multi-tenant encryption for database system

A database system includes a persistent storage system, a memory storing metadata defining a tenant object and a plurality of database artifacts, a first instance of the tenant object, the first instance associated with a first plurality of the database artifacts including first data associated with the first instance of the tenant object, and a second instance of the tenant object, the second instance associated with a second plurality of the database artifacts including second data associated with the second instance of the tenant object. A processing unit is to execute program code of a database instance to cause the database system to encrypt the first data associated with the first instance of the tenant object using a first public encryption key and store the encrypted first data in the persistent storage system, and encrypt the second data associated with the second instance of the tenant object using a second public encryption key and store the encrypted second data in the persistent storage system.

Native multi-tenancy for database system

Systems and methods include creation of a first instance of a tenant object in a database instance, association of the first instance of the tenant object with a first plurality of database artifacts including first data associated with the first instance of the tenant object, creation of a second instance of the tenant object in the database instance, association of the second instance of the tenant object with a second plurality of database artifacts including second data associated with the second instance of the tenant object, and reception and response to queries on the first data associated with the first instance of the tenant object and to queries on the second data associated with the second instance of the tenant object.

データベースシステムのためのネイティブマルチテナンシ

【課題】データベースインスタンスレベルの機能をテナントレベルで提供するデータベースシステムを提供すること。【解決手段】システムおよび方法は、データベースインスタンス内へのテナントオブジェクトの第1のインスタンスの作成と、前記第1のインスタンスの、前記第1のインスタンスに関連する第1のデータを含む第1の複数のデータベースアーティファクトとの関連付けと、データベースインスタンス内へのテナントオブジェクトの第2のインスタンスの作成と、前記第2のインスタンスの、前記第2のインスタンスに関連する第2のデータを含む第2の複数のデータベースアーティファクトとの関連付けと、前記第1のインスタンスに関連する第1のデータに関するクエリ、および前記第2のインスタンスに関連する第2のデータに関するクエリの受信、およびそれらのクエリへの応答とを含む。【選択図】図6

Management of tenant-specific encryption keys

Systems and methods include assignment of first data artifacts stored in a volatile memory to a first database tenant object instance stored in the volatile memory, storage, in a persistent storage system, of a first payload database comprising a first encryption key for encrypting and decrypting the first data artifacts, storage, in the persistent storage system, a second payload database comprising a second encryption key for encrypting and decrypting second data artifacts not assigned to a database tenant object instance, and storage, in the persistent storage system, of a configuration database comprising a first portion including information usable for decrypting the first encryption key and a second portion including information usable for decrypting the second encryption key.

Generic layer for virtual object resolution

Generic layer for virtual object resolution

Generic layer for virtual object resolution

Generic layer for virtual object resolution

Systems and techniques to derive virtual objects at run-time from persistencely stored objects. In general, in one implementation, the technique includes receiving a request for a target object from a requesting application. It is determined whether a delta link is associated with the target object. The delta link includes a location of the target object and information describing a desired difference between the target object and a derived object to be returned to the requesting application. The target object is located and a derived object is generated from the target object and the information in the delta link. The derived object is then returned to the requesting application. The target object, and derived object, may include a number of elements. The elements may be name-value pairs, or 'properties', or a number of child objects in an object hierarchy.

Native multi-tenancy for database system

Systems and methods include creation of a first instance of a tenant object in a database instance, association of the first instance of the tenant object with a first plurality of database artifacts including first data associated with the first instance of the tenant object, creation of a second instance of the tenant object in the database instance, association of the second instance of the tenant object with a second plurality of database artifacts including second data associated with the second instance of the tenant object, and reception and response to queries on the first data associated with the first instance of the tenant object and to queries on the second data associated with the second instance of the tenant object.

Native multi-tenancy for database system

Systems and methods include creation of a first instance of a tenant object in a database instance, association of the first instance of the tenant object with a first plurality of database artifacts including first data associated with the first instance of the tenant object, creation of a second instance of the tenant object in the database instance, association of the second instance of the tenant object with a second plurality of database artifacts including second data associated with the second instance of the tenant object, and reception and response to queries on the first data associated with the first instance of the tenant object and to queries on the second data associated with the second instance of the tenant object. 1/7 100 130 140 CUSTOMER CUSTOMER A 135 B 45 R R v v 120 MULTI-TENANT APPLICATION R 110 111 112 114 TENANT A -- 5 ARTIFACTS A r -- - - - - 116 TENANT B 117 ARTIFACTS B ' 118 113 :PEfRSISTENCE! FIG. I

Native multi-tenant encryption for database system

A database system includes a persistent storage system, a memory storing metadata defining a tenant object and a plurality of database artifacts, a first instance of the tenant object, the first instance associated with a first plurality of the database artifacts including first data associated with the first instance of the tenant object, and a second instance of the tenant object, the second instance associated with a second plurality of the database artifacts including second data associated with the second instance of the tenant object. A processing unit is to execute program code of a database instance to cause the database system to encrypt the first data associated with the first instance of the tenant object using a first public encryption key and store the encrypted first data in the persistent storage system, and encrypt the second data associated with the second instance of the tenant object using a second public encryption key and store the encrypted second data in the persistent storage system.