Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Administration

Installing CAKM for Oracle TDE on RHEL/Oracle Linux

search
printsuggest an editpdf paneldownload

Installing CAKM for Oracle TDE on RHEL/Oracle Linux

You can install CAKM for Oracle TDE using the installation script or in silent mode. In both ways:

  • For External CA configuration, first complete the installation with the TCP protocol. Then, manually configure the SSL settings by updating the required parameters (client cert, client key, and external CA) in the CADP_PKCS11.properties file.

  • To set up the SSL configuration manually after installation with TCP, follow the steps mentioned in Setting up SSL/TLS.

Note

  • If you run the installer 'install.sh' file with root user or sudo permission, the default installation directory is /opt.

  • If you run the installer 'install.sh' file without root user or sudo permission, the default installation directory is user's home directory (/home). Ensure that the user must have the permission to run mkdir, chown, and chmod commands.

  • The Oracle database must be restarted after installation, upgradation, and changing the configuration of CAKM for Oracle TDE.

After installing CAKM for Oracle TDE, you need to perform some additional steps, as described in Post-installation Steps.

copy link to clipboardUsing Installation Script

  1. Download the CAKM for Oracle TDE setup file from the Thales Customer Support Portal.

  2. Log on to the client machine as an Oracle user.

  3. Extract the setup file using any standard archive utility. For example, execute the following command:

    tar -xzf <source_directory/tar_file_name> -C <destination_directory>

    After extracting the setup file, you will get the install.sh file.

  4. Install CAKM for Oracle TDE by running install.sh.

    sudo ./install.sh

    Note

    'install.sh' file is used to perform the following:

    • distribute the CAKM for Oracle TDE package files

    • update the CADP_PKCS11.properties file

    • update the .profile/.bash_profile

    • create the certificates if you are using the SSL protocol

    The next screen displays the End User License Agreement.

  5. Read the agreement. If you agree, accept the agreement with the yes (Y) option.

    Do you accept the terms of the End User License Agreement(Y/N)[N]? Y

  6. Provide the installation directory path. The defaut path is /opt.

    Install CAKM for Oracle TDE to path [/opt]:<install_dir>

  7. Specify the Key Management Server details. Follow the on-screen prompts to enter the details as per your environment.

    Key Management Server IP Address:<cm_ip>
Key Management Server PORT [9000]:<cm_port>
Key Management Server Protocol (ssl/tcp)[ssl]:<protocol>
Key Management Server username:<cm_user>
Key Management Server user password:<cm_user_password>

  8. If the selected protocol is SSL/TLS, enter the client certificate details.

    Enter Passphrase to protect private key:
====Enter information that will be incorporated into your certificate request.====

Country code (2 letter code e.g., US):
State or Province name (e.g., California):
Locality or city name (e.g., San Jose):
Organization name (e.g., company):
Organization Unit name (e.g., Section):
Common Name (eg, your name or your server's hostname):
Email Address (optional):

    For example:

    Enter Passphrase to protect private key:
====Enter information that will be incorporated into your certificate request.====

Country code (2 letter code e.g., US): IN
State or Province name (e.g., California): UP
Locality or city name (e.g., San Jose): Noida
Organization name (e.g., company): Thales
Organization Unit name (e.g., Section): DIS
Common Name (eg, your name or your server's hostname): oracle
Email Address (optional):

  9. On successful installation, the message CAKM for Oracle TDE Installation is completed is displayed. 

    CAKM for Oracle TDE Installation is completed!
You can edit the configuration files located at:
/opt/CipherTrust/CAKM_for_Oracle_TDE/CADP_PKCS11.properties

Now, you need to perform Post-installation Steps.

Once install.sh script is successfully executed, following environment variables gets updated in your .profile/.bash_profile:

Note

  • export NAE_Properties_Conf_Filename="/opt/CipherTrust/CAKM_for_Oracle_TDE/CADP_PKCS11.properties"

  • export IngrianNAE_Properties_Conf_Slot_ID_Max="100"

  • export IngrianNAE_Properties_Conf_SessionID_Max="100"

copy link to clipboardSilent installation

For silent installation, provide basic configuration settings (such as, SERVER_IP, SERVER_PORT, SERVER_PROTOCOL, and so on) through any of the following:

These settings are updated automatically in the CADP_PKCS11.properties file after the silent installation is complete.

Note

The USER_CREDENTIALS_ENCRYPTED parameter refers to the encrypted state of the User Credentials (NAE_USER, NAE_PASSWORD, and PASSPHRASE). Enabling or Disabling this parameter will allow the user credentials to be provided in encrypted text or plain text respectively. This encrypted text can only be generated using PassPhraseSecure utility.

Provide the installation directory path using -d option and accept the End User License Agreement using -y option to proceed with the installation:

sudo ./install.sh -d <install_dir> -y

If you want to perform the silent installation of CAKM for Oracle TDE with any specific user, you can run the following command:

./install.sh -t <TDE_User>

copy link to clipboardUsing Configuration File

The Configuration file cakm_for_oracle_tde_basic.conf is located in the path </home/oracle/CAKM_for_Oracle_TDE-<version number>/utilities/>.

  1. Add the required details in cakm_for_oracle_tde_basic.conf file and execute the following command:

    sudo ./install.sh -d <install_dir> -y -c <path of cakm_for_oracle_tde_basic.conf file>

    For example:

    sudo ./install.sh -d <install_dir> -y -c utilities/cakm_for_oracle_tde_basic.conf

copy link to clipboardUsing Command Line Arguments

./install.sh -y -d <install_dir> --SERVER_IP <KM Server IP> --SERVER_PORT <KM Server Port> --SERVER_PROTOCOL <ssl/tcp> --LOG_LEVEL <NONE/ERROR/WARN/INFO> --NAE_USER <KM Username> --NAE_PASSWORD <KM Password> --PASSPHRASE <Passphrase> --USER_CREDENTIALS_ENCRYPTED <Y/N> --COUNTRY <Country> --STATE <State> --CITY <City> --ORG <Organisation> --ORG_UNIT <Organisation Unit> --COMMON_NAME <Comman Name> --EMAIL <Email>

where,

SERVER_IP: Key Management server IP address/Hostname

SERVER_PORT: Key Management server port number

SERVER_PROTOCOL: Connection protocol to server (ssl or tcp)

LOG_LEVEL: Log Level (NONE, ERROR, WARN, INFO)

The following information is needed only for ssl:

NAE_USER: Key Management server user for client certificate creation

NAE_PASSWORD: Key Management server user's password

PASSPHRASE: Passphrase to protect client private key

USER_CREDENTIALS_ENCRYPTED: User credentials are provided in encrypted format or not (Y/N)

COUNTRY: Country Code, for example, US limited to two letters

STATE: State, for example, California

CITY: City, for example, San Jose

ORG: Organization, for example, Thales

ORG_UNIT: Organizational Unit, for example, DIS

COMMON_NAME: Common Name, for example, hostname/IP address, Username

EMAIL: Email address

UPDATE_CONFIGURATION: Expected Y/N. Applicable to upgrade scenario only. In case of Y, new configurations will be applied and new certificate will be generated via installer (in case of ssl). In case of N, the existing configuration from the previous version installer will be retained. Default value is N.

For example:

./install.sh -y -d /home/oracle --SERVER_IP <cm_IP_address> --SERVER_PORT <NAE port> --SERVER_PROTOCOL ssl --LOG_LEVEL ERROR --NAE_USER <cm_user> --NAE_PASSWORD <cm_user_password> --PASSPHRASE Xxxx --USER_CREDENTIALS_ENCRYPTED N --COUNTRY US --STATE California --CITY "San Jose" --ORG Thales --ORG_UNIT DIS --COMMON_NAME <CN for client certificate> --EMAIL abc@yy.zzz

On successful installation, the message CAKM for Oracle TDE Installation is completed! is displayed. Credentials will be masked with asterisk (*) after successful installation in the basic conf file.

Note

  • The parameters provided through command line arguments will be preferred over configuration file.

  • If you are providing any value to the parameter that consist of any special characters, such as white space, |, e.t.c, then the value must be in quotes (" ").

Caution

Do not use the cakm_for_oracle_tde_basic utility for any operation. It is for internal use by CAKM for Oracle TDE.

Now, you need to perform the Post-installation Steps.

copy link to clipboardPost-installation Steps

Note

The receiving directory is a fixed location. Oracle searches for this directory. It cannot be changed. Changing the directory name results in a "cannot find PKCS11 library" error.

This section describes how to create and change ownership for required files and directories on the agent system.

  1. Change ownership on the CAKM for Oracle TDE library file. This must be done on all UNIX platforms.

    cd <Installation_Path_of_CAKM_for_Oracle_TDE_Library>
chown <Oracle_user>:<Oracle_group> libcadp_pkcs11.so-<version>

    For example: sudo chown oracle:oinstall libcadp_pkcs11.so-8.10.0.00X

  2. Create a link to an Oracle HSM recognized path:

    mkdir -p <CAKM_for_Oracle_TDE_Library_Path>
chown -R <Oracle_user>:<Oracle_group> <CAKM_for_Oracle_TDE_Library_Path>

    For example:

    sudo mkdir -p /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE
sudo chown -R oracle:oinstall /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE

  3. (As the oracle user) Create the soft link to the CAKM for Oracle TDE library.

    su - oracle
cd /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE
ln -s <Installation_Path_of_CAKM_for_Oracle_TDE_Library>/<lib_name_version> libcadp_pkcs11.so

After installing CAKM for Oracle TDE, you can further configure CAKM for Oracle TDE to meet the needs of your environment. Refer to the Configuring CAKM for Oracle TDE for details.

Note

After successful installation of CAKM for Oracle TDE, execute the .bash_profile/.profile.

On this page