Upgrading CAKM for Oracle TDE Provider
This section is applicable for:
Upgrading from SafeNet ProtectApp Oracle TDE to CAKM for Oracle TDE
Upgrading CAKM for Oracle TDE from an older version to the latest version
Upgrading from SafeNet ProtectApp Oracle TDE to CAKM for Oracle TDE
Caution
Upgrade from SafeNet ProtectApp Oracle TDE to CAKM for Oracle TDE requires you to first Uninstall SafeNet ProtectApp Oracle TDE and then Install CAKM for Oracle TDE.
It is recommended to take a backup of your last configuration file and other required files before upgrade.
If you are upgrading from CAKM for Oracle TDE 8.10 to CAKM for Oracle TDE 8.11 or above, and the master key is created inside the domain, then after rebooting the Oracle instance, you must open the wallet through the command:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "dom_hr::cm_user:cm_user_password";
Upgrading CAKM for Oracle TDE from an older version to the latest version
Caution
Install the latest version of CAKM for Oracle TDE. It replaces the installed files with a newer version. Hence, it is recommended to take a backup of your last configuration file and other required files before upgrade.
To upgrade CAKM for Oracle TDE from 8.10.0 to 8.11.0:
Upgrade Existing Auto-login HSM Wallet to New Auto-login HSM Wallet
Upgrade Existing Auto-login HSM Wallet with PDB to New Auto-login HSM Wallet with PDB
Upgrade Existing Manual HSM Wallet to New Manual HSM Wallet
To upgrade the existing Manual HSM wallet to Manual HSM wallet, open the Manual HSM wallet using the following command:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "domain::cm_user:cm_user_password";
Upgrade Existing Auto-login HSM wallet to New Auto-login HSM wallet
To upgrade the existing Auto-login HSM wallet to new Auto-login HSM wallet, perform the steps mentioned below:
Rename or move the
cwallet.ssofile.Restart the database. Check the status of existing wallet in the Oracle database. Execute the following commands.
sqlplus / as sysdba SHUTDOWN IMMEDIATE; STARTUP; COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;Reset the TDE_CONFIGURATION parameter.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;Open the Software Wallet.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";Add a secret for HSM. You can do it in two ways:
Deleting the previously set secret and adding a new secret for CAKM for Oracle TDE.
ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP; ADMINISTER KEY MANAGEMENT ADD SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;Updating the previously set secret with the secret for CAKM for Oracle TDE.
ADMINISTER KEY MANAGEMENT UPDATE SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
If you are changing the username on client side, you must update the same username on CipherTrust Manager for respective master key and Opaque_Object also.
Create a new auto-login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";Reset the TDE_CONFIGURATION parameter and retart the database.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both; SHUTDOWN IMMEDIATE; STARTUP;(This step is applicable for Oracle RAC.) After running the above steps on the source node, run the following steps on all the destination node(s).
Rename the existing
cwallet.ssofile.Copy the
cwallet.ssofile from the source node to the destination node in the cluster at the same location.Restart the database on the destination node.
Upgrade Existing Auto-login HSM Wallet with PDB to New Auto-login HSM Wallet with PDB
To upgrade the existing Auto-login HSM wallet with PDB to new Auto-login HSM wallet with PDB, perform the steps mentioned below:
Rename or move the
cwallet.ssofile.Restart the database. Check the status of existing wallet in the Oracle database. Execute the following commands.
sqlplus / as sysdba SHUTDOWN IMMEDIATE; STARTUP; ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE; COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;Reset the TDE_CONFIGURATION parameter.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;Open the Software Wallet.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" CONTAINER=<ALL>;Add a secret for HSM. You can do it in two ways:
Deleting the previously set secret and adding a new secret for CAKM for Oracle TDE.
ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP; ADMINISTER KEY MANAGEMENT ADD SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;Updating the previously set secret with the secret for CAKM for Oracle TDE.
ADMINISTER KEY MANAGEMENT UPDATE SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
Create a new auto-login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";Reset the TDE_CONFIGURATION parameter and retart the database.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both; SHUTDOWN IMMEDIATE; STARTUP; ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;(This step is applicable for Oracle RAC) After running the above steps on the source node, run the following steps on all the destination node(s).
Rename the existing
cwallet.ssofile.Copy the
cwallet.ssofile from the source node to the destination node in the cluster at the same location.Restart the database on the destination node.
Note
On the AIX platform for Safenet Oracle TDE, you can comment the
LIBPATHparameter in the.profile/.bash_profilefile forsamplelibs.To load the latest configuration file and the library, restart the Oracle database after upgrading CAKM for Oracle TDE.
