Integrating TDE with CipherTrust Manager on Oracle 19c
This section outlines the following steps to integrate TDE with the CipherTrust Manager on Oracle 19c:
Configuring Keystore Location
After configuring CAKM for Oracle TDE library with Oracle TDE, you need to configure the keystore location.
In the pfile or spfile, set the software wallet location in the WALLET_ROOT
parameter and wallet type in the TDE_CONFIGURATION
parameter.
Configuring HSM Wallet
This section covers the following topics:
Configuring HSM Wallet on Fresh Setup
Create wallet directory using the following commands:
For Linux
mkdir -p <software_wallet_location> chown -R oracle:oinstall <software_wallet_location>
For Windows
Create the
<software_wallet_location>
directory manually.After creating the wallet location, provide Read, Write, and execute permissions on the
<software_wallet_location>
to Oracle user.Set
WALLET_ROOT
parameter in the spfile.sqlplus / as sysdba ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;
Restart the database.
SHUTDOWN IMMEDIATE; STARTUP;
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=both;
Check the existing wallets in the Oracle database. Initially, there will be no wallet. To verify this, execute the following command:
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS HSM UNKNOWN CLOSED In following sample command,
<cm_user:cm_user_password>
represents the NAE user name and its password. NAE user name and password are case-sensitive. They must appear in double-quotes (" ") separated by a colon (:).
NAE user specified in here is the owner of the encryption key created and stored on the CipherTrust Manager.
The CipherTrust Manager GUI displays the generated master encryption key.Connect to the database as
<oracle_db_user>
and open the hardware security module (HSM) keystore.connect <oracle_db_user>/<oracle_db_user_password>; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
Set the HSM keystore TDE master encryption key.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>";
Check the wallet status by executing the following query:
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS HSM HSM OPEN While using Oracle RAC, repeat the steps from 1 to 6 on the other node(s).
For Column and Tablespace encryption, refer Tasks.
Configuring Manual HSM Wallet to Auto-Login HSM Wallet
After configuring Manual HSM wallet, you can enable Auto-Login. Auto-Login prevents the need to open the wallet each time you restart the database. To enable Auto-Login, follow the steps below:
Create the directory for every database and permit the oracle user to access this directory.
For Linux
mkdir -p <software_wallet_location> chown -R oracle:oinstall <software_wallet_location>
For Windows
Create the
<software_wallet_location>
directory manually.After creating the wallet location, provide Read, Write, and execute permissions on the
<software_wallet_location>
to Oracle user.Start new sql session and set
WALLET_ROOT
parameter in spfile.sqlplus / as sysdba ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;
Restart the database.
SHUTDOWN IMMEDIATE; STARTUP;
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;
Create the software keystore at the location provided in the spfile file.
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Open the software keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Reverse migrate the HSM Wallet to File Wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;
Add the secret to the software keystore. This secret is the HSM's password and the client is
HSM_PASSWORD
. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create Auto-Login.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Restart database to enable Auto-Login.
SHUTDOWN IMMEDIATE; STARTUP;
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
Migrate Auto-Login File Wallet to Auto-Login HSM Wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
Confirm HSM Auto-Login is now activated.
SHUTDOWN IMMEDIATE; STARTUP; COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Access the data from column encrypted table or tablespace encrypted tables.
connect <oracle_db_user>/<oracle_db_user_password>; SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;
When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance(s) shutdown. After following the above steps copy the cwallet.sso file from the configured node to all the other node(s) at the same
<software_wallet_location>
location. After copying cwallet.sso on the other node(s), restart all the other RAC instance(s).
Configuring Manual HSM Wallet with PDB in United Mode
Whenever you restart any of the databases, you must run alter pluggable command as shown below:ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
• Do not configure HSM Auto-Login for CBD until you generate the master key for pluggable database (PDB) (All PDBs in case multiple PDBs are using TDE). After generating the master key for all PDBs, you can configure the CDB for Auto-Login and it will work for all PDBs as well.
• To plug a PDB from one CDB to another, simply unplug the PDB from one Container and plug into another Container Database and open the wallet in PDB. It would start working.
To configure an HSM wallet with a PDB in United mode:
Configure Keystore Location using the following command:
sqlplus / as sysdba ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile; shutdown immediate; startup; SHOW PARAMETER WALLET_ROOT;
Open the PDB in read-write mode.
ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
Grant the administrator privilege to
pdbuser
.GRANT ADMINISTER KEY MANAGEMENT TO <pdbuser>; GRANT CREATE SESSION TO <pdbuser>; GRANT CONNECT TO <pdbuser>; COMMIT;
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=both; SHOW PARAMETER TDE_CONFIGURATION;
Open the HSM wallet in CDB and PDB.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<ALL>;
Set the HSM master encryption key in CDB and PDB.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<ALL>;
Log into the targeted PDB and create encrypted tablespace and table.
ALTER SESSION SET CONTAINER=<pdb_name>; Connect <pdbuser>/<pdb_password>;
For Column and Tablespace encryption, refer Tasks.
Configuring Auto-login HSM Wallet with PDB
To enable Auto-Login with PDB, you need to enable Auto-Login in the container database only. Once you enable Auto-Login in CDB, it would automatically work for PDB. To configure Auto-Login in CDB, follow the below steps:
Create the directory for every database and permit the oracle user to access this directory.
mkdir -p <software_wallet_location> chown -R oracle:oinstall <software_wallet_location>
Set
WALLET_ROOT
to software location parameter in the spfile and restart the database.sqlplus / as sysdba ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP; ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
Set
TDE_CONFIGURATION
parameter in pfile and spfile.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;
Create the software keystore at the location provided in the spfile.
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Open the software keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" CONTAINER=<pdb_name>/<ALL>;
Reverse migrate HSM Wallet to File Wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;
Add the secret to the software keystore. This secret is the HSM's password and the client is
HSM_PASSWORD
. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create Auto-Login.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Restart the database.
SHUTDOWN IMMEDIATE; STARTUP; ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
Migrate Auto-Login File Wallet to Auto-Login HSM Wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
Check the wallet status.
SHUTDOWN IMMEDIATE; STARTUP; ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE; COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Connect to the PDB.
ALTER SESSION SET CONTAINER=<pdb_name>; CONNECT <pdb_user>/<pdb_user_password>@<pdb_name>;
Check the wallet status and access the data from the encrypted tablespace and tables.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET; SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;
When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance shutdown.
After all the above steps are completed copy the
cwallet.sso
file from the configured target node to all the other node(s) at the/tde location. After copying cwallet.sso
, start all other RAC instance(s) and open the PDB.sqlplus / as sysdba STARTUP; ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
Migrating from Software Wallet to HSM Wallet
This section covers the following topics:
Migrating Manual Software Wallet to HSM Wallet
You can migrate the already configured software-based wallet to HSM wallet. If you have a software wallet configured already, wallet information will look like below:
sqlplus / as sysdba
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
---|---|---|---|
FILE | <software_wallet_location> | PASSWORD | OPEN |
To migrate a software wallet to an HSM wallet:
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
Run the command to migrate the key from the software wallet to the HSM wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>" with backup;
When using Oracle RAC, it is recommended to perform all the above steps only on one target instance and have all the other RAC instance shutdown down.
After all the above steps are completed copy the ewallet.p12 file from the configured target node to all the other node(s) at the
/tde location. Restart all other RAC instance(s). sqlplus / as sysdba STARTUP; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
Migrating Manual Software Wallet to Auto-Login HSM Wallet
You can migrate the already configured manual software-based wallet to Auto-Login HSM wallet. If you have a software wallet configured already, wallet information will look like below:
Check the wallet status:
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS FILE <software_wallet_location>
PASSWORD OPEN Add the secret to the software keystore. This secret is the HSM's password and the client is
HSM_PASSWORD
.HSM_PASSWORD
is an oracle defined client name that represents the HSM password as a secret in the software keystore.You must include the
<cm_user:cm_user_password>
andHSM_PASSWORD
in single quotes. It will not work if you do not do this.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create a new Auto-Login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Restart the database and check the wallet status.
SHUTDOWN IMMEDIATE; STARTUP; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Set
TDE_CONFIGURATION
parameter and verify.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both; SHOW PARAMETER TDE_CONFIGURATION;
Migrate the manual software wallet to Auto-Login HSM wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
Create new MEK on CM
ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<cm_user:cm_user_password>";
Access the data from the encrypted tablespace and tables.
connect <oracle_db_user>/<oracle_db_user_password>; SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;
When using Oracle RAC, after follwoing the above steps copy the
cwallet.sso
file from the configured node to all the other node(s) at the same location. After copyingcwallet.sso
on the other node(s), restart the database.
Migrating Auto-Login Software Wallet to Auto-Login HSM Wallet
You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Loginenabled HSM wallet. If you have a software wallet configured already, the content of the spfile
file and wallet information will have the following structure:
WALLET_ROOT=<software_wallet_location>
Output:
WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
---|---|---|---|
FILE | <software_wallet_location> | AUTOLOGIN | OPEN |
Rename or move the
cwallet.sso
file from the location specified above to any other location.Restart the database and open the software keystore.
SHUTDOWN IMMEDIATE; STARTUP; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Add the secret to the software keystore. This secret is the HSM's password and the client is
HSM_PASSWORD
.HSM_PASSWORD
is an oracle defined client name that represents the HSM password as a secret in the software keystore.You must include the
<cm_user:cm_user_password>
andHSM_PASSWORD
in single quotes. It will not work if you do not do this.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create a new Auto-Login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Restart the database and check the wallet status.
SHUTDOWN IMMEDIATE; STARTUP; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
Migrate the Auto-Login software wallet to Auto-Login HSM wallet.
connect <oracle_db_user>/<oracle_db_user_password>; ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
Create new MEK on CM.
ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<cm_user:cm_user_password>";
Access the data from the encrypted tablespace and tables.
SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;
When using Oracle RAC, after following the above steps copy the
cwallet.sso
file from the configured node to all the other node(s) at the same location. After copyingcwallet.sso
on the other node(s), restart the database.
Migrating Software Wallet to HSM Wallet in PDB
If you are using PDB with software wallet, you can migrate to an HSM wallet. Your spfile
file and wallet status for both CDB and PDB will have the following structure:
CDB:
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
---|---|---|---|
FILE | <software_wallet_location> | PASSWORD | OPEN |
PDB:
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
---|---|---|---|
FILE | PASSWORD | OPEN |
Set
TDE_CONFIGURATION
parameter and verify.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both; SHOW PARAMETER TDE_CONFIGURATION;
Migrate both CDB and PDB to HSM wallet and set the encryption key.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>"; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<pdb_name>/<ALL>;
Check the wallet status.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Restart the database, login with CDB and open the wallet.
After restarting any of the databases, you must run alter pluggable command as shown below:
ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
Log on to the PDB and open the wallet. HSM wallet will open and retrieve the data from the encrypted tables.
When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance shutdown down.
After all the above steps are completed copy the ewallet.p12 file from the configured target node to all the other node(s) at the
/tde location. Restart all other RAC instance(s) and open the PDB. sqlplus / as sysdba STARTUP; ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<pdb_name>/<ALL>;
Migrating Auto-Login File Wallet with PDB to Auto-Login HSM Wallet with PDB
You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Login enabled HSM wallet. If you have a software wallet configured already, the content of the spfile
file and wallet information will have the following structure:
WALLET_ROOT=<software_wallet_location>
Output:
WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
---|---|---|---|
FILE | <software_wallet_location> | AUTOLOGIN | OPEN |
Rename or move the
cwallet.sso
file from the location specified above to any other location.Restart the database and open the software keystore.
SHUTDOWN IMMEDIATE; STARTUP; ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE; show parameter WALLET_ROOT;
Set the
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both; show parameter TDE_CONFIGURATION;
Migrate the Software wallet to HSM wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>" with backup;
Check the wallet status.
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Set the master encryption key for the HSM keystore.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" container=<pdb_name>/<ALL>;
Closed the HSM keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<cm_user:cm_user_password>";
Set the
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;
Open keystore for all PDBs.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" container=<pdb_name>/<ALL>;
Add the secret to the software keystore. This secret is the HSM's password and the client is
HSM_PASSWORD
.HSM_PASSWORD
is an oracle defined client name that represents the HSM password as a secret in the software keystore.You must include the
<cm_user:cm_user_password>
andHSM_PASSWORD
in single quotes. It will not work if you do not do this.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create a new Auto-Login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Set the
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
Restart the database.
shutdown immediate; startup;
Open the PDB in read-write mode.
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;
Check Wallet status.
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Connect to the PDB.
ALTER SESSION SET CONTAINER=<pdb_name>;
Check Wallet status.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
(This step is applicable to Oracle RAC.) After running the above steps on the source node, perform the following steps on all the destination nodes.
Rename the existing cwallet.sso file.
Copy the cwallet.sso file from the source node to the destination node in the cluster at the same location.
Restart the database on the destination node.
Open the PDB in Read-Write mode.
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;
Migrating Back from HSM Wallet to Software Wallet
If you want to switch from an HSM keystore to a software keystore then you can use reverse migration of the keystore.
It is recommended to keep the HSM. Earlier backup files may rely on TDE master encryption keys present in the HSM.
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;
Log on to the database instance as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege.sqlplus / as sysdba GRANT ADMINISTER KEY MANAGEMENT to system; commit; Connect <oracle_db_user>/<oracle_db_user_password>; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Run Reverse Migration command.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;
After you complete the reverse migration, you do not need to restart the database or manually reopen the software keystore.
When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance shutdown.
After all the above steps are completed copy the ewallet.p12 file from the configured target node to all the other node(s) at the
/tde location. Restart all other RAC instance(s) and open wallet. sqlplus / as sysdba STARTUP; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>"; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<software_keystore_password>";