Installing CAKM for Oracle TDE on RHEL/Oracle Linux
You can install CAKM for Oracle TDE using the installation script or in silent mode. In both ways:
For External CA configuration, first complete the installation with the TCP protocol. Then, manually configure the SSL settings by updating the required parameters (client cert, client key, and external CA) in the
CADP_PKCS11.properties
file.To set up the SSL configuration manually after installation with TCP, follow the steps mentioned in Setting up SSL/TLS.
Note
If you run the installer 'install.sh' file with root user or sudo permission, the default installation directory is
/opt
.If you run the installer 'install.sh' file without root user or sudo permission, the default installation directory is user's home directory (
/home
). Ensure that the user must have the permission to runmkdir
,chown
, andchmod
commands.The Oracle database must be restarted after installation, upgradation, and changing the configuration of CAKM for Oracle TDE.
After installing CAKM for Oracle TDE, you need to perform some additional steps, as described in Post-installation Steps.
Using Installation Script
Download the CAKM for Oracle TDE setup file from the Thales Customer Support Portal.
Log on to the client machine as an Oracle user.
Extract the setup file using any standard archive utility. For example, execute the following command:
tar -xzf <source_directory/tar_file_name> -C <destination_directory>
After extracting the setup file, you will get the
install.sh
file.Install CAKM for Oracle TDE by running
install.sh
.sudo ./install.sh
Note
'install.sh' file is used to perform the following:
distribute the
CAKM for Oracle TDE
package filesupdate the
CADP_PKCS11.properties
fileupdate the
.profile/.bash_profile
create the certificates if you are using the SSL protocol
The next screen displays the End User License Agreement.
Read the agreement. If you agree, accept the agreement with the yes (
Y
) option.Do you accept the terms of the End User License Agreement(Y/N)[N]? Y
Provide the installation directory path. The defaut path is
/opt
.Install CAKM for Oracle TDE to path [/opt]:<install_dir>
Specify the Key Management Server details. Follow the on-screen prompts to enter the details as per your environment.
Key Management Server IP Address:<cm_ip> Key Management Server PORT [9000]:<cm_port> Key Management Server Protocol (ssl/tcp)[ssl]:<protocol> Key Management Server username:<cm_user> Key Management Server user password:<cm_user_password>
If the selected protocol is SSL/TLS, enter the client certificate details.
Enter Passphrase to protect private key: ====Enter information that will be incorporated into your certificate request.==== Country code (2 letter code e.g., US): State or Province name (e.g., California): Locality or city name (e.g., San Jose): Organization name (e.g., company): Organization Unit name (e.g., Section): Common Name (eg, your name or your server's hostname): Email Address (optional):
For example:
Enter Passphrase to protect private key: ====Enter information that will be incorporated into your certificate request.==== Country code (2 letter code e.g., US): IN State or Province name (e.g., California): UP Locality or city name (e.g., San Jose): Noida Organization name (e.g., company): Thales Organization Unit name (e.g., Section): DIS Common Name (eg, your name or your server's hostname): oracle Email Address (optional):
On successful installation, the message
CAKM for Oracle TDE Installation is completed
is displayed.CAKM for Oracle TDE Installation is completed! You can edit the configuration files located at: /opt/CipherTrust/CAKM_for_Oracle_TDE/CADP_PKCS11.properties
Now, you need to perform Post-installation Steps.
Once install.sh
script is successfully executed, following environment variables gets updated in your .profile/.bash_profile
:
Note
export NAE_Properties_Conf_Filename="/opt/CipherTrust/CAKM_for_Oracle_TDE/CADP_PKCS11.properties"
export IngrianNAE_Properties_Conf_Slot_ID_Max="100"
export IngrianNAE_Properties_Conf_SessionID_Max="100"
Silent installation
For silent installation, provide basic configuration settings (such as, SERVER_IP, SERVER_PORT, SERVER_PROTOCOL, and so on) in the cakm_for_oracle_tde_basic.conf file located in the path </home/CAKM_for_Oracle_TDE-<version number>/utilities/>
. These settings are updated automatically in the CADP_PKCS11.properties
file after the silent installation is complete.
To install CAKM for Oracle TDE silently:
Add the required details in
cakm_for_oracle_tde_basic.conf
file and execute the following command:sudo ./install.sh -c <path of cakm_for_oracle_tde_basic.conf file> [-d <install_dir>] -y
For example:
If the installation directory path is not provided:
[user@orcl1 CAKM_for_Oracle_TDE-8.10.0.000]# sudo ./install.sh -c /home/CAKM_for_Oracle_TDE-8.10.0.000/utilities/cakm_for_oracle_tde_basic.conf -y
Or if you want to provide the installation directory path, run the following command:
[user@orcl1 CAKM_for_Oracle_TDE-8.10.0.000]# sudo ./install.sh -c /home/CAKM_for_Oracle_TDE-8.10.0.000/utilities/cakm_for_oracle_tde_basic.conf -d <install_dir> -y
Or if you want to perform the silent installation of CAKM for Oracle TDE with any specific user, you can run the following command:
[user@orcl1 CAKM_for_Oracle_TDE-8.10.0.000]# ./install.sh -t <TDE_User>
In case you are not passing '-y' in the silent installation command, you will be prompted to accept the End User License Agreement to proceed with the installation.
Do you accept the terms of the End User License Agreement(Y/N)[N]? Y
Specify the installation directory
<install_dir>
to complete the installation. The default installation directory is/opt
.Install CAKM for Oracle TDE to path [/opt]:<install_dir> CAKM for Oracle TDE Installation is completed!
The prompt
Install CAKM for Oracle TDE to path [/opt]:<install_dir>
is not displayed if the installation directory is provided.On successful installation, the message
CAKM for Oracle TDE Installation is completed!
is displayed.
Caution
Do not use the cakm_for_oracle_tde_basic
utility for any operation. It is for internal use by CAKM for Oracle TDE.
Now, you need to perform the Post-installation Steps.
Post-installation Steps
Note
The receiving directory is a fixed location. Oracle searches for this directory. It cannot be changed. Changing the directory name results in a "cannot find PKCS11 library" error.
This section describes how to create and change ownership for required files and directories on the agent system.
Change ownership on the CAKM for Oracle TDE library file. This must be done on all UNIX platforms.
cd <Installation_Path_of_CAKM_for_Oracle_TDE_Library> chown <Oracle_user>:<Oracle_group> libcadp_pkcs11.so-<version>
For example: sudo chown oracle:oinstall libcadp_pkcs11.so-8.10.0.00X
Create a link to an Oracle HSM recognized path:
mkdir -p <CAKM_for_Oracle_TDE_Library_Path> chown -R <Oracle_user>:<Oracle_group> <CAKM_for_Oracle_TDE_Library_Path>
For example:
sudo mkdir -p /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE sudo chown -R oracle:oinstall /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE
(As the oracle user) Create the soft link to the CAKM for Oracle TDE library.
su - oracle cd /opt/oracle/extapi/64/hsm/CipherTrust/CAKM_for_Oracle_TDE ln -s <Installation_Path_of_CAKM_for_Oracle_TDE_Library>/<lib_name_version> libcadp_pkcs11.so
After installing CAKM for Oracle TDE, you can further configure CAKM for Oracle TDE to meet the needs of your environment. Refer to the Configuring CAKM for Oracle TDE for details.
Note
After successful installation of CAKM for Oracle TDE, execute the .bash_profile/.profile
.