Administration
CipherTrust Application Key Management (CAKM) for Oracle Transparent Data Encryption (TDE) provides key management and data encryption capabilities, in conjunction with the CipherTrust Manager, to Oracle TDE.
The advantages of using the CipherTrust Manager are:
Provides additional security by separation of the administrative access. For example, the system can be set up so that CipherTrust Application Data Protection Security Administrator can access only the keys, and the database administrator can access only the database.
Helps achieve compliance with PCI security standards.
Provides centralized storage and management of encryption keys.
The table and tablespace keys are encrypted using the master key. The master key is stored in an External Security Module (ESM) that can be one of the following:
Oracle Wallet: Provides a secure container outside the database. It is encrypted with a password.
CipherTrust Mananger: Provides a secure location for storing the TDE master encryption key (MEK). Oracle interfaces with this platform using the CAKM for Oracle TDE library.
The following diagram shows the integration:
Prerequisites
Ensure that:
The CipherTrust Manager is installed and configured. Refer to the CipherTrust Manager documentation for details.
Make sure that a user with the permissions CA Admins and Read-Only Admins exists on the CipherTrust Manager. This user is required when installing CAKM for Oracle TDE.
The NAE-XML interface is configured on the CipherTrust Manager. Refer to the CipherTrust Manager documentation for details.
The port configured on the NAE-XML interface is accessible from the client machine.
The connector license is activated on the CiperTrust Manager. Refer to the CipherTrust Manager documentation for details.
The Oracle Database must be installed on the target machine.
On the AIX platform, ensure the following libraries and their dependencies are installed:
libgcc_s.a
libstdc++.a
To determine the dependencies of a library on the AIX platform, use the
dump -Hv <library_file>command. If the command returns the error "file is not valid in the current object file mode," follow these steps:Determine the libary file's format by running
file <library_file>. This command returns the file format, such as64or32.Set the correct format in the
OBJECT_MODEenvironment variable by usingexport OBJECT_MODE=<format>. For example, iffile <library_file>returned64, runexport OBJECT_MODE=64.Run the
dump -Hv <library_file>command again.
Tip
For example, to download libgcc6 and libstdc++6 for AIX 7.2, consider resources like the IBM AIX Toolbox for Open Source Software. Install these RPMs using the rpm -Uvh <package_name> command.
Example:
rpm -Uvh libgcc6-6.3.0-2.aix7.2.ppc.rpm
rpm -Uvh libstdcplusplus6-6.3.0-2.aix7.2.ppc.rpm
After installation, verify the presence of libgcc_s.a and libstdc++.a within /usr/lib/. If absent, create symbolic links from their installation location (usually, /opt/freeware/lib/).
Example:
ln -s /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/6/libgcc_s.a /usr/lib/
ln -s /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/6/libstdc++.a /usr/lib/
Integrating Oracle TDE with CipherTrust Manager
To integrate Oracle TDE with the CipherTrust Manager:
