Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Advanced Topics

Upgrading CAKM for Oracle TDE Provider

search
print

Upgrading CAKM for Oracle TDE Provider

This section is applicable for:

copy link to clipboardUpgrading from SafeNet ProtectApp Oracle TDE to CAKM for Oracle TDE

Caution

  • Upgrade from SafeNet ProtectApp Oracle TDE to CAKM for Oracle TDE requires you to first Uninstall SafeNet ProtectApp Oracle TDE and then Install CAKM for Oracle TDE.

  • It is recommended to take a backup of your last configuration file and other required files before upgrade.

  • If you are upgrading from CAKM for Oracle TDE 8.10 to CAKM for Oracle TDE 8.11 or above, and the master key is created inside the domain, then after rebooting the Oracle instance, you must open the wallet through the command:
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "dom_hr::cm_user:cm_user_password";

copy link to clipboardUpgrading CAKM for Oracle TDE from an older version to the latest version

Caution

Install the latest version of CAKM for Oracle TDE. It replaces the installed files with a newer version. Hence, it is recommended to take a backup of your last configuration file and other required files before upgrade.

To upgrade CAKM for Oracle TDE from 8.10.0 to 8.11.0:

copy link to clipboardUpgrade Existing Manual HSM Wallet to New Manual HSM Wallet

To upgrade the existing Manual HSM wallet to Manual HSM wallet, open the Manual HSM wallet using the following command:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "domain::cm_user:cm_user_password";

copy link to clipboardUpgrade Existing Auto-login HSM wallet to New Auto-login HSM wallet

To upgrade the existing Auto-login HSM wallet to new Auto-login HSM wallet, perform the steps mentioned below:

  1. Rename or move the cwallet.sso file.

  2. Restart the database. Check the status of existing wallet in the Oracle database. Execute the following commands.

    sqlplus / as sysdba
SHUTDOWN IMMEDIATE;
STARTUP;
COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  3. Reset the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;

  4. Open the Software Wallet.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";

  5. Add a secret for HSM. You can do it in two ways:

    • Deleting the previously set secret and adding a new secret for CAKM for Oracle TDE.

      ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
ADMINISTER KEY MANAGEMENT ADD SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;

    • Updating the previously set secret with the secret for CAKM for Oracle TDE.

      ADMINISTER KEY MANAGEMENT UPDATE SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;

  6. Create a new auto-login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  7. Reset the TDE_CONFIGURATION parameter and retart the database.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
SHUTDOWN IMMEDIATE;
STARTUP;

  8. (This step is applicable for Oracle RAC.) After running the above steps on the source node, run the following steps on all the destination node(s).

    • Rename the existing cwallet.sso file.

    • Copy the cwallet.sso file from the source node to the destination node in the cluster at the same location.

    • Restart the database on the destination node.

copy link to clipboardUpgrade Existing Auto-login HSM Wallet with PDB to New Auto-login HSM Wallet with PDB

To upgrade the existing Auto-login HSM wallet with PDB to new Auto-login HSM wallet with PDB, perform the steps mentioned below:

  1. Rename or move the cwallet.sso file.

  2. Restart the database. Check the status of existing wallet in the Oracle database. Execute the following commands.

    sqlplus / as sysdba
SHUTDOWN IMMEDIATE;
STARTUP;
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;
COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  3. Reset the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;

  4. Open the Software Wallet.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" CONTAINER=<ALL>;

  5. Add a secret for HSM. You can do it in two ways:

    • Deleting the previously set secret and adding a new secret for CAKM for Oracle TDE.

      ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
ADMINISTER KEY MANAGEMENT ADD SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;

    • Updating the previously set secret with the secret for CAKM for Oracle TDE.

      ADMINISTER KEY MANAGEMENT UPDATE SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;

  6. Create a new auto-login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  7. Reset the TDE_CONFIGURATION parameter and retart the database.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
SHUTDOWN IMMEDIATE;
STARTUP;
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

  8. (This step is applicable for Oracle RAC) After running the above steps on the source node, run the following steps on all the destination node(s).

    • Rename the existing cwallet.sso file.

    • Copy the cwallet.sso file from the source node to the destination node in the cluster at the same location.

    • Restart the database on the destination node.

Note

  • On the AIX platform for Safenet Oracle TDE, you can comment the LIBPATH parameter in the .profile/.bash_profile file for samplelibs.

  • To load the latest configuration file and the library, restart the Oracle database after upgrading CAKM for Oracle TDE.

On this page