Installing CAKM for Oracle TDE on RHEL/Oracle Linux
You can install CAKM for Oracle TDE using the installation script or in silent mode. In both ways:
For External CA configuration, first complete the installation with the TCP protocol. Then, manually configure the SSL settings by updating the required parameters (client cert, client key, and external CA) in the
CADP_PKCS11.propertiesfile.To set up the SSL configuration manually after installation with TCP, follow the steps mentioned in Setting up SSL/TLS.
Note
If you run the installer 'install.sh' file with root user or sudo permission, the default installation directory is
/opt.If you run the installer 'install.sh' file without root user or sudo permission, the default installation directory is user's home directory (
/home). Ensure that the user must have the permission to runmkdir,chown, andchmodcommands.The Oracle database must be restarted after installation, upgradation, and changing the configuration of CAKM for Oracle TDE.
After installing CAKM for Oracle TDE, you need to perform some additional steps, as described in Post-installation Steps.
Using Installation Script
Download the CAKM for Oracle TDE setup file from the Thales Customer Support Portal.
Log on to the client machine as an Oracle user.
Extract the setup file using any standard archive utility. For example, execute the following command:
tar -xzf <source_directory/tar_file_name> -C <destination_directory>After extracting the setup file, you will get the
install.shfile.Install CAKM for Oracle TDE by running
install.sh.sudo ./install.shNote
'install.sh' file is used to perform the following:
distribute the
CAKM for Oracle TDEpackage filesupdate the
CADP_PKCS11.propertiesfileupdate the
.profile/.bash_profilecreate the certificates if you are using the SSL protocol
The next screen displays the End User License Agreement.
Read the agreement. If you agree, accept the agreement with the yes (
Y) option.Do you accept the terms of the End User License Agreement(Y/N)[N]? YProvide the installation directory path. The defaut path is
/opt.Install CAKM for Oracle TDE to path [/opt]:<install_dir>Specify the Key Management Server details. Follow the on-screen prompts to enter the details as per your environment.
Key Management Server IP Address:<cm_ip> Key Management Server PORT [9000]:<cm_port> Key Management Server Protocol (ssl/tcp)[ssl]:<protocol> Key Management Server username:<cm_user> Key Management Server user password:<cm_user_password>If the selected protocol is SSL/TLS, enter the client certificate details.
Enter Passphrase to protect private key: ====Enter information that will be incorporated into your certificate request.==== Country code (2 letter code e.g., US): State or Province name (e.g., California): Locality or city name (e.g., San Jose): Organization name (e.g., company): Organization Unit name (e.g., Section): Common Name (eg, your name or your server's hostname): Email Address (optional):For example:
Enter Passphrase to protect private key: ====Enter information that will be incorporated into your certificate request.==== Country code (2 letter code e.g., US): IN State or Province name (e.g., California): UP Locality or city name (e.g., San Jose): Noida Organization name (e.g., company): Thales Organization Unit name (e.g., Section): DIS Common Name (eg, your name or your server's hostname): oracle Email Address (optional):On successful installation, the message
CAKM for Oracle TDE Installation is completedis displayed.CAKM for Oracle TDE Installation is completed! You can edit the configuration files located at: /opt/CipherTrust/CAKM_for_Oracle_TDE/CADP_PKCS11.properties
Now, you need to perform Post-installation Steps.
Once install.sh script is successfully executed, following environment variables gets updated in your .profile/.bash_profile:
Note
export NAE_Properties_Conf_Filename="/opt/CipherTrust/CAKM_for_Oracle_TDE/CADP_PKCS11.properties"
export IngrianNAE_Properties_Conf_Slot_ID_Max="100"
export IngrianNAE_Properties_Conf_SessionID_Max="100"
Silent installation
For silent installation, provide basic configuration settings (such as, SERVER_IP, SERVER_PORT, SERVER_PROTOCOL, and so on) through any of the following:
These settings are updated automatically in the CADP_PKCS11.properties file after the silent installation is complete.
Note
The USER_CREDENTIALS_ENCRYPTED parameter refers to the encrypted state of the User Credentials (NAE_USER, NAE_PASSWORD, and PASSPHRASE). Enabling or Disabling this parameter will allow the user credentials to be provided in encrypted text or plain text respectively. This encrypted text can only be generated using PassPhraseSecure utility.
Provide the installation directory path using -d option and accept the End User License Agreement using -y option to proceed with the installation:
sudo ./install.sh -d <install_dir> -y
If you want to perform the silent installation of CAKM for Oracle TDE with any specific user, you can run the following command:
./install.sh -t <TDE_User>
Using Configuration File
The Configuration file cakm_for_oracle_tde_basic.conf is located in the path </home/oracle/CAKM_for_Oracle_TDE-<version number>/utilities/>.
Add the required details in
cakm_for_oracle_tde_basic.conffile and execute the following command:sudo ./install.sh -d <install_dir> -y -c <path of cakm_for_oracle_tde_basic.conf file>For example:
sudo ./install.sh -d <install_dir> -y -c utilities/cakm_for_oracle_tde_basic.conf
Using Command Line Arguments
./install.sh -y -d <install_dir> --SERVER_IP <KM Server IP> --SERVER_PORT <KM Server Port> --SERVER_PROTOCOL <ssl/tcp> --LOG_LEVEL <NONE/ERROR/WARN/INFO> --NAE_USER <KM Username> --NAE_PASSWORD <KM Password> --PASSPHRASE <Passphrase> --USER_CREDENTIALS_ENCRYPTED <Y/N> --COUNTRY <Country> --STATE <State> --CITY <City> --ORG <Organisation> --ORG_UNIT <Organisation Unit> --COMMON_NAME <Comman Name> --EMAIL <Email>
where,
SERVER_IP: Key Management server IP address/Hostname
SERVER_PORT: Key Management server port number
SERVER_PROTOCOL: Connection protocol to server (ssl or tcp)
LOG_LEVEL: Log Level (NONE, ERROR, WARN, INFO)
The following information is needed only for ssl:
NAE_USER: Key Management server user for client certificate creation
NAE_PASSWORD: Key Management server user's password
PASSPHRASE: Passphrase to protect client private key
USER_CREDENTIALS_ENCRYPTED: User credentials are provided in encrypted format or not (Y/N)
COUNTRY: Country Code, for example, US limited to two letters
STATE: State, for example, California
CITY: City, for example, San Jose
ORG: Organization, for example, Thales
ORG_UNIT: Organizational Unit, for example, DIS
COMMON_NAME: Common Name, for example, hostname/IP address, Username
EMAIL: Email address
UPDATE_CONFIGURATION: Expected Y/N. Applicable to upgrade scenario only. In case of Y, new configurations will be applied and new certificate will be generated via installer (in case of ssl). In case of N, the existing configuration from the previous version installer will be retained. Default value is N.
For example:
./install.sh -y -d /home/oracle --SERVER_IP <cm_IP_address> --SERVER_PORT <NAE port> --SERVER_PROTOCOL ssl --LOG_LEVEL ERROR --NAE_USER <cm_user> --NAE_PASSWORD <cm_user_password> --PASSPHRASE Xxxx --USER_CREDENTIALS_ENCRYPTED N --COUNTRY US --STATE California --CITY "San Jose" --ORG Thales --ORG_UNIT DIS --COMMON_NAME <CN for client certificate> --EMAIL abc@yy.zzz
On successful installation, the message CAKM for Oracle TDE Installation is completed! is displayed. Credentials will be masked with asterisk (*) after successful installation in the basic conf file.
Note
The parameters provided through command line arguments will be preferred over configuration file.
If you are providing any value to the parameter that consist of any special characters, such as
white space, |, e.t.c, then the value must be in quotes (" ").
Caution
Do not use the cakm_for_oracle_tde_basic utility for any operation. It is for internal use by CAKM for Oracle TDE.
Now, you need to perform the Post-installation Steps.
Post-installation Steps
Note
The receiving directory is a fixed location. Oracle searches for this directory. It cannot be changed. Changing the directory name results in a "cannot find PKCS11 library" error.
This section describes how to create and change ownership for required files and directories on the agent system.
Change ownership on the CAKM for Oracle TDE library file. This must be done on all UNIX platforms.
cd <Installation_Path_of_CAKM_for_Oracle_TDE_Library> chown <Oracle_user>:<Oracle_group> libcadp_pkcs11.so-<version>For example: sudo chown oracle:oinstall libcadp_pkcs11.so-8.10.0.00X
Create a link to an Oracle HSM recognized path:
mkdir -p <CAKM_for_Oracle_TDE_Library_Path> chown -R <Oracle_user>:<Oracle_group> <CAKM_for_Oracle_TDE_Library_Path>For example:
sudo mkdir -p /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE sudo chown -R oracle:oinstall /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE(As the oracle user) Create the soft link to the CAKM for Oracle TDE library.
su - oracle cd /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE ln -s <Installation_Path_of_CAKM_for_Oracle_TDE_Library>/<lib_name_version> libcadp_pkcs11.so
After installing CAKM for Oracle TDE, you can further configure CAKM for Oracle TDE to meet the needs of your environment. Refer to the Configuring CAKM for Oracle TDE for details.
Note
After successful installation of CAKM for Oracle TDE, execute the .bash_profile/.profile.
