Appendix
Troubleshooting
While working with CAKM for Oracle TDE, you may encounter some issues. The table below provides information on frequent issues and their solutions.
| # | Description |
|---|---|
| 1 | mkdir: cannot create directory <directory>: Permission deniedGrant appropriate access permissions on this path to the Oracle user. |
| 2 | ORA-28407: Hardware Security Module error detected There might be issues with: • The configuration/installation process of the CAKM for Oracle TDE library. • The connectivity with the CipherTrust Manager appliance. • The CADP_PKCS11.properties file parameters.Refer to the CAKM for Oracle TDE library log file for the exact cause. If the Oracle traces show the error, HSM error trace for ORA-28407. kzthsminit failed in C_ Initialize with PKCS 11 error code 5, then copy the CADP_PKCS11.properties file to the $ORACLE_HOME/dbs location. |
| 3 | ORA-28407: Hardware Security Module failed with PKCS#11 error CKR_SLOT_ID_INVALID(%d) For Oracle 12c RAC auto-login with HSM, if the error "ORA-28407" occurs with invalid slot id, then upgrade Oracle to 12.1.0.2.2 or a higher version. |
| 4 | Error: "ORA-28365: wallet is not open" If this error occurs while closing the wallet by executing "alter system set encryption wallet close identified by "<cm_user:cm_user_password>";", it means the wallet is already closed and no action is required. |
| 5 | Linux/Unix: ORA-28376: cannot find PKCS#11 library Ensure that oracle:oinstall is the owner:group of the /opt/oracle/extapi/<32|64>/hsm/CipherTrust/CAKM_for_Oracle_TDE directory and its files (libIngPKCS11.so, CADP_PKCS11.properties), and has read/write permissions.The directory and files within should not have 777, 776, or 773 permissions. They can have either the default permission (755) or 775 / 774. |
| 6 | Oracle Database - Enterprise Edition - Version 11.2.0.3 to 11.2.0.4 [Release 11.2] "HSM connection lost, closing wallet kzthsmterm: C_CloseSession threw PKCS#11 error 48" If TDE is used with HSM, then brief interruptions in the connectivity to the HSM can cause errors on the database. Symptoms: Symptoms like the following may be observed in the alert.log file:kzthsmcc4: HSM heartbeat died. Most likely connection has been lost. PKCS#11 function C_Encrypt returned PKCS#11 error code: 48 HSM connection lost, closing wallet kzthsmterm: C_CloseSession threw PKCS#11 error 48 Sun Mar 02 17:16:54 2014 kzthsmcc4: HSM heartbeat died. Most likely connection has been lost. PKCS#11 function C_Encrypt returned PKCS#11 error code: 48 HSM connection lost, closing wallet kzthsmterm: C_CloseSession threw PKCS#11 error 48 Changes: TDE is configured with HSM. Cause: The existing model is that the Oracle server initiates a heartbeat call to HSM every 3 seconds from the GEN0 process. If the call fails, the wallet will be closed. Depending on the internal state of involved processes, this can lead to various errors. Solution: To make the database resilient to brief interruptions in the HSM connectivity, a fix has been made for 11gR2. Patch 18948524: Instance crashes when HSM loses connectivity. Merge patches with this fix: • Patch 19364977: MERGE REQUEST ON TOP OF DATABASE PSU 11.2.0.3.11 FOR BUGS 12874937 12951619 • Patch 19182734: MERGE REQUEST ON TOP OF DATABASE PSU 11.2.0.3.8 FOR BUGS 18511779 16360112 • Patch 19594366: MERGE REQUEST ON TOP OF DATABASE PSU 11.2.0.3.7 FOR BUGS 19148155 18948524 (This list may not be exhaustive.) After any of these patches has been installed, that include the fix to the bug 18948524, set the following events to control how the server will respond to the HSM failure. event="28420 trace name context forever, level 10"event="28421 trace name context forever, level 3"To set this persistently, use the statement: ALTER SYSTEM SETEVENT='28420 trace name context forever, level 10:28421 tracename context forever, level 3' COMMENT='HSM heartbeat timeout and reconnect attempt' SCOPE=SPFILE;Here, • Event 28420 is used to determine how many HSM heartbeats can fail before the wallet is closed. The HSM heartbeat fires every 3 seconds which means that a very short network outage can lead to wallet closure. For example, if event 28420 is set to level 5 then the RDBMS will allow 5 heartbeats to fail before closing the wallet, which would allow a 15 second loss of contact with the HSM before closing the wallet. This event should NOT be used to disable the heartbeat functionality. We strongly advise that this value is set no higher than 20 (i.e. one minute loss of HSM connectivity before wallet closure). • Event 28421 will cause the HSM heartbeat to attempt to reconnect with the HSM once the wallet has been closed, and if successful, reopen the wallet. For example, if event 28421 is set to level 3 then every 3rd heartbeat will attempt to re-establish connection with the HSM. Event 28421 is only useful if HSM has been configured using the auto-open feature. This means that a local cwallet.sso maintains the HSM credentials in the secret store entry ORACLE.TDE.HSM.AUTOLOGIN.The example above uses the recommended values for the events. If the HSM is not available for prolonged periods, eventually this may result in errors that cause the database to shut down. This patch is only meant to cope with short outages. Also, this patch is primarily meant to avoid a hard instance crash. If the HSM is not available then due to the current state of sessions doing any TDE related operation when the HSM connectivity is lost, those individual sessions may still get wallet related errors. |
| 7 | Any ssl connection related error message can be filtered from the log file based on "ERR" and "tls" tags. |
| 8 | In case of Exporting keys for PDB migration while using HSM, if the PDB goes in restricted mode:SQL> show pdbs2 CON_ID CON_NAME3 OPEN MODE RESTRICTEDResolution: Follow the below steps: 1. Set the containet to the PDB: SQL> alter session set container=orclpdb;Session altered.SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "tdeowner:asdf1234";keystore altered.2. Open the wallet again inside PDB: SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "tdeowner:asdf1234"';keystore altered.3. Run the dummy import command: SQL>ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "HSM" FROM 'HSM' IDENTIFIED BY "tdeowner:asdf1234";keystore altered.SQL> exit4. Close the PDB and bounce the database: SQL> ALTER PLUGGABLE DATABASE ORCLPDB CLOSE;Pluggable database altered.SQL> exit[oracle@node1 ~]$ srvctl stop database -d damian[oracle@node1 ~]$ srvctl start database -d damian5. Connect to CDB and open all PDBs. SQL> show pdbsCON_ID CON_NAME OPEN MODE RESTRICTED2 PDB$SEED READ ONLY NO3 ORCLPDB MOUNTEDSQL> alter pluggable database all open instances=all;Pluggable database altered.SQL> show pdbsCON_ID CON_NAME OPEN MODE RESTRICTED2 PDB$SEED READ ONLY NO3 ORCLPDB READ WRITE NO |
| 9 | Key won't download to the cache Possible Cause: The key does not have exportable permission. Resolution: Check the key’s exportable setting. Only exportable keys can be downloaded to the symmetric key and persistent key caches. |
| 10 | Keys are staying in the cache longer than the specified maximum key expiry time. Possible Cause: Persistent key cache has not been called by the library. Resolution: Call the library. The persistent key cache is cleaned only when it is called, therefore, keys may stay in the cache longer than the Persistent_Cache_Expiry_Keys setting. |
| 11 | Can’t create keys when server connection is disrupted. Explanation: The persistent key cache is not used for creating keys. The client can only create keys by connecting to the CipherTrust KMS server. |
| 12 | ORA-01031: insufficient privileges Resolution: Connect as sysdba. SQL> connect / as sysdba |
| 13 | HSM error trace for ORA-28407. kzthsmdos failed in C_FindObjectsInit with PKCS 11 error code 18 HSM error trace for ORA-28407. kzthsmnfy failed in C_CloseSession with PKCS 11 error code 7 Explanation: CAKM for Oracle TDE library supports only those attributes that it requires for the supported usecases. When an unsupported attribute comes to the library, the library ignores it and continues to work. Due to unsupported attribute, CAKM for Oracle TDE library API returns non zero value and above mentioned error is printed in the Oracle trace logs. |
| 14 | ORACLE.TSE.HSM.MK.062CA567A3FF484F36BF9B7AD99D4B58EC] Unknown key name or insufficient permissions. In Oracle 11g, TSE and TDE keys are created. A TDE key is used for encrypting columns, whereas, a TSE key is used for encrypting TABLESPACE. However, in Oracle 12c and 19c, only a TDE key is created for column and TABLESPACE encryption. Resolution: Ignore the error message in the CAKM for Oracle TDE log file. |
| 15 | Required Oracle patches Issue Unable to set up AUTO-HSM for PDB databases in Oracle 18c or 19c. Explanation: Due to Bug "29530515: auto-login hsm configurations fail to open the tde keystore" you cannot set up AUTO-HSM for PDB databases in Oracle 18c or 19c. Resolution: Apply the following patches: — 19.4.0.0.190716 (Jul 2019) Database Release Update (DB RU) — Database patch 29834717 or its superset patch 30125133 |
| 16 | mlock() failed with error 12. Key memory can be swapped to disk. Explanation: If max memory is less than 1 MB. Resolution: Run this command: ulimit -l 1024 |
Oracle TDE Platform Matrix
The following table lists issues that are commonly experienced on supported platforms with a specific Oracle versions, and their workarounds.
| Platform | Oracle Version | Known Issue(s) | Workaround(if any) |
|---|---|---|---|
| Windows Server 2012 64-bit Windows Server 2012 R2 64-bit Windows Server 2016 64-bit | 11.2.0.4 12.1.0.2 + Patch 22809813 (Oracle PDB Auto Login Patch for 12cR1) 12.2.0.1 | When the database restarts, Oracle services sometimes stops. | Run Services.msc and manually start OracleServiceSID Follow the below steps as the workaround:1. Open the Wallet SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "cm_user:cm_user_password";2. Create a Key SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "cm_user:cm_user_password";3. Check the Wallet Status SQL> SELECT * FROM V$ENCRYPTION_WALLET; |
| Windows Server 2012 64-bit Windows Server 2012 R2 64-bit Windows Server 2016 64-bit | 12.1.0.2 | When Oracle version 12.1.0.2 is used with Pluggable database (for system user), ORA-03113: end-of-file on communication channel error is triggered, when you check the wallet status after opening the wallet. | Apply the Oracle mandatory patch 12626642. After applying the patch, use the shutdown immediate commandto restart the database session. |
