Abstract: Methods, systems, and devices for transparent data encryption are described. A transparent proxy may enforce a specific encryption policy for a data transmission from a source host to a target host, where the transparent proxy determines if the data transmission is encrypted according to a specific encryption policy prior to forwarding the data transmission to the target host. As such, if the data transmission is not encrypted according to the specific encryption policy, the transparent proxy may encrypt the data transmission and then forward it to the target host. Alternatively, if the transparent proxy determines that the data transmission is encrypted according to the specific encryption policy, then the transparent proxy may refrain from further encrypting the data transmission and forward the data transmission to the target host without the additional encryption.

Abstract: A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.

Abstract: A system is provided for data object encryption. The system includes an encryption framework available across a plurality of runtime environments. The system is configured to receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key and determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment. The system is further configured to encrypt the data object using the content encryption key, encrypt the content encryption key using the master key and key wrapping algorithm, and write the encrypted data object to networked database storage.

Abstract: A system is provided for data object encryption. The system includes an encryption framework available across a plurality of runtime environments. The system is configured to receive a data object in one of the plurality of runtime environments, wherein the data object is capable of being encrypted using a content encryption key and determine an encryption module implemented in the encryption framework that is compatible with the one of the plurality of runtime environment, wherein the encryption module comprises a key service provider that provides a master key and a key wrapping algorithm for the content encryption key in the runtime environment. The system is further configured to encrypt the data object using the content encryption key, encrypt the content encryption key using the master key and key wrapping algorithm, and write the encrypted data object to networked database storage.

Abstract: A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.

Abstract: Methods, systems, and devices for transparent data encryption are described. A transparent proxy may enforce a specific encryption policy for a data transmission from a source host to a target host, where the transparent proxy determines if the data transmission is encrypted according to a specific encryption policy prior to forwarding the data transmission to the target host. As such, if the data transmission is not encrypted according to the specific encryption policy, the transparent proxy may encrypt the data transmission and then forward it to the target host. Alternatively, if the transparent proxy determines that the data transmission is encrypted according to the specific encryption policy, then the transparent proxy may refrain from further encrypting the data transmission and forward the data transmission to the target host without the additional encryption.

Abstract: Various mechanisms are disclosed herein for the saving and restoring of virtual machine environment state. For example, virtual machine state can be either be saved or (multiple) snapshots can be taken of the virtual machine state. In the latter case, virtual processors can be allowed to run while the memory of the virtual machine state is being saved. In either case, virtual devices associated with the virtual machine environment can be quiesced such that these devices can prepare themselves to be saved. Once such virtual devices and memory are saved, they can also be restored. For example, restoration of memory can occur while virtual processors are running at the same time. And, moreover, restoration can occur in batches of pages, thus optimizing the response time for restoring saved data.

Abstract: Various mechanisms are disclosed herein for the saving and restoring of virtual machine environment state. For example, virtual machine state can be either be saved or (multiple) snapshots can be taken of the virtual machine state. In the latter case, virtual processors can be allowed to run while the memory of the virtual machine state is being saved. In either case, virtual devices associated with the virtual machine environment can be quiesced such that these devices can prepare themselves to be saved. Once such virtual devices and memory are saved, they can also be restored. For example, restoration of memory can occur while virtual processors are running at the same time. And, moreover, restoration can occur in batches of pages, thus optimizing the response time for restoring saved data.

Abstract: Various mechanisms are disclosed herein for the saving and restoring of virtual machine environment state. For example, virtual machine state can be either be saved or (multiple) snapshots can be taken of the virtual machine state. In the latter case, virtual processors can be allowed to run while the memory of the virtual machine state is being saved. In either case, virtual devices associated with the virtual machine environment can be quiesced such that these devices can prepare themselves to be saved. Once such virtual devices and memory are saved, they can also be restored. For example, restoration of memory can occur while virtual processors are running at the same time. And, moreover, restoration can occur in batches of pages, thus optimizing the response time for restoring saved data.

Abstract: A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator.

Abstract: Architecture that facilitates interfacing non-integrated applications. The disclosed architecture comprises a set of APIs and conventions used to enable integration between tools that were not previously architected to be integrated. This provides the basis for server-based partner integration and client integration of tools, and can facilitate the foundation for building a third-party ecosystem. In support thereof, an artifact provider API exposes artifacts of a first application, and an artifact consumer API exposes a reference of a second application, which reference is associated with a link to one at least one of the artifacts of the artifact provider.

Abstract: Various mechanisms are disclosed herein for the saving and restoring of virtual machine environment state. For example, virtual machine state can be either be saved or (multiple) snapshots can be taken of the virtual machine state. In the latter case, virtual processors can be allowed to run while the memory of the virtual machine state is being saved. In either case, virtual devices associated with the virtual machine environment can be quiesced such that these devices can prepare themselves to be saved. Once such virtual devices and memory are saved, they can also be restored. For example, restoration of memory can occur while virtual processors are running at the same time. And, moreover, restoration can occur in batches of pages, thus optimizing the response time for restoring saved data.

Abstract: Query results are pre-cached for a substantial portion of or all queries that are likely to be issued by users. One query can be entirely different from another query, yet because corresponding query results are pre-cached, the database need not be accessed, improving response performance. Pre-cached queries are also distributed into multiple partitions to apportion work among multiple computing machines to further enhance performance and provide redundancy in case of the failure of any particular partition. Pre-cached query results are selectively refreshed so that users may enjoy up-to-date information by focusing on queries that are popular as well as queries that are old.

Abstract: In one embodiment, a method an apparatus for managing a system comprising at least one operational data store and a data warehouse that is associated with at least some of the data in the operational data set, comprising automatically updating the schema of the data warehouse to reflect a change to the schema of the at least one operational data store. In a further embodiment, a method and apparatus for requiring that a designer of a database system provide metadata that defines changes to be made to a data warehouse in response to a modification of an area in an operational store. In another embodiment, a method and apparatus for detecting schema changes to an operational store, so that appropriate action may be taken in a data warehouse. In a further embodiment, a method and apparatus for implementing changes to a data warehouse schema, comprising the execution of one or more lower level calls to appropriate APIs to modify the schemas of both a relational database and an OLAP database.

Abstract: A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator, and/or provide information specifying an object or object type and actions that are performable with respect to the object or object type by the respective software product.

Abstract: A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator.

Abstract: A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator. Permission information used to determine the authorization for a user to perform a requested action may be stored for a plurality of software products in a common location.

Abstract: The present invention provides a system and method for unrelated tools to categorized elements they control according to a common centrally managed classification scheme. The invention also provides a mechanism for storing, retrieving, and modifying classifying information. Users of unrelated tools that employ the subject invention see a single and consisted user interface.

Abstract: Architecture that facilitates interfacing non-integrated applications. The disclosed architecture comprises a set of APIs and conventions used to enable integration between tools that were not previously architected to be integrated. This provides the basis for server-based partner integration and client integration of tools, and can facilitate the foundation for building a third-party ecosystem. In support thereof, an artifact provider API exposes artifacts of a first application, and an artifact consumer API exposes a reference of a second application, which reference is associated with a link to one at least one of the artifacts of the artifact provider.

Abstract: Data capture and analysis for debugging embedded systems is disclosed. On a target, there is at least one data collector, each of which publishes predetermined data of the target, and a collection manager for managing the data collectors. On a host, there is at least one viewer, each of subscribes to the predetermined data of a data collector, for processing thereof, and a viewer manager for managing the viewers. Data collectors and viewers can be added, such that an extensible data capture and analysis embedded system architecture is provided.