Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
back

Administration

Integrating TDE with CipherTrust Manager on Oracle 19c Exadata Cloud@Customer (ExaCC)

search
printsuggest an edit

Integrating TDE with CipherTrust Manager on Oracle 19c Exadata Cloud@Customer (ExaCC)

This section outlines the following steps to integrate TDE with the CipherTrust Manager on Oracle 19c Exadata Cloud@Customer (ExaCC):

copy link to clipboardMigrating from File Wallet to HSM Wallet

copy link to clipboardMigrating Auto-Login File Wallet to Auto-Login HSM Wallet

You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Loginenabled HSM wallet. If you have a software wallet configured already, the content of the spfile file and wallet information will have the following structure:

WALLET_ROOT=<software_wallet_location>

Output:

WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
FILE<software_wallet_location>AUTOLOGINOPEN

  1. Rename or move the cwallet.sso file from the location specified above to any other location.

  2. Restart the database and open the software keystore.

    SHUTDOWN IMMEDIATE;
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
ALTER DATABASE OPEN;

  3. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.
    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  4. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  5. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  6. Migrate the Auto-Login software wallet to Auto-Login HSM wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";

  7. Create new MEK on CM.

    ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<cm_user:cm_user_password>";

  8. To sync the secondary node restart the Oracle 19C database.

    srvctl stop database -d $ORACLE_UNQNAME
srvctl start database -d $ORACLE_UNQNAME

copy link to clipboardMigrating Auto-Login File Wallet with United PDB to Auto-Login HSM Wallet with United PDB

You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Login enabled HSM wallet. If you have a software wallet configured already, the content of the spfile file and wallet information will have the following structure:

Output:

WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
FILE<software_wallet_location>AUTOLOGINOPEN

  1. Rename or move the cwallet.sso file from the location specified above to any other location.

  2. Restart the database and open the software keystore.

    SHUTDOWN IMMEDIATE;
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <software_keystore_password>;
ALTER DATABASE OPEN;
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

  3. Set the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  4. Migrate the Software wallet to HSM wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>" with backup;

  5. Set the master encryption key for the HSM keystore. 

    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" container=<pdb_name>/<ALL>;

  6. Closed the HSM keystore.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<cm_user:cm_user_password>";

  7. Set the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;

  8. Open all PDBs.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" container=<pdb_name>/<ALL>;

  9. Check the wallet status.

    COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  10. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD.

    HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  11. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  12. Set the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  13. Restart the database.

    shutdown immediate;
startup;

  14. Open the PDB in read-write mode.

    ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

  15. Check Wallet status.

    COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  16. Connect to the PDB.

    ALTER SESSION SET CONTAINER=<pdb_name>;

  17. Check Wallet status.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  18. To sync the secondary node restart the Oracle 19C database.

    srvctl stop database -d $ORACLE_UNQNAME
srvctl start database -d $ORACLE_UNQNAME

copy link to clipboardMigrating back from Auto-login HSM Wallet to Auto login File Wallet

If you want to switch from an HSM keystore to a software keystore then you can use reverse migration of the keystore.

Note

It is recommended to keep the HSM. Earlier backup files may rely on TDE master encryption keys present in the HSM.

  1. Navigate to <software_wallet_location>/tde directory and rename the cwallet.sso file to cwallet_backup.sso.

  2. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;

  3. Run Reverse Migration command.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;

    After you complete the reverse migration, you do not need to restart the database or manually reopen the software keystore.

  4. Restart the database and open the software keystore.

    SHUTDOWN IMMEDIATE;
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
ALTER DATABASE OPEN;

  5. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  6. Restart the database.

    shutdown immediate;
startup;

  7. Check Wallet status.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  8. To sync the secondary node restart the Oracle 19C database.

    srvctl stop database -d $ORACLE_UNQNAME
srvctl start database -d $ORACLE_UNQNAME

On this page