Installing CAKM for Oracle TDE on Windows

You can install CAKM for Oracle TDE using GUI Based Installation or in silent mode. In both ways:

• For External CA configuration, first complete the installation with the TCP protocol. Then, manually configure the SSL settings by updating the required parameters (client cert, client key, and external CA) in the CADP_PKCS11.properties file.

• To set up the SSL configuration manually after installation with TCP, follow the steps mentioned in Setting up SSL/TLS.

After installing CAKM for Oracle TDE, you need to perform some additional steps, as described in Post-installation Steps.

GUI Based Installation

1. Download the CAKM for Oracle TDE setup file from the Thales Customer Support Portal.

2. Double-click the setup.exe to start the InstallShield Wizard. The Welcome screen appears. Click Next.

   

3. Accept the license agreement and click Next.

   

4. Click Change to select a different location. You can click Next to continue with the default installation directory.

   

5. Select the Server Protocol. The options are tcp and ssl.

   If you select the Server Protocol as tcp

   

   1. Specify the following mandatory fields:

      • Server IP/Hostname: Specify the IP Address or Hostname of the CipherTrust Manager.

      • Server Port: Specify the server port of the NAE interface.

      

   2. Click Next.

   If you select the Server Protocol as ssl

   

   1. Specify the following mandatory fields:

      • User name: Specify the username of the CipherTrust Manager.

      • Password: Specify the password of the CipherTrust Manager.

      • Server IP/Hostname: Specify the IP Address or Hostname of the CipherTrust Manager.

      • Server Port: Specify the server port of the NAE interface.

      

   2. Click Next and specify the following certificate information:

      • Common Name (mandatory field)

      • Passphrase (mandatory field)

      • State

      • City

      • Organization Name

      • Organization Unit

      • Country

      • Email Address

      

   3. Click Next.

6. Click Install to begin the installation process.

   

7. Click Finish to exit the installation wizard.

   

Now, you need to perform Post-installation Steps.

Silent Installation

For silent installation, provide basic configuration settings (such as, SERVER_IP, SERVER_PORT, SERVER_PROTOCOL, and so on) through any of the following:

• Using Configuration File

• Using Command Line Arguments

These settings are updated automatically in the CADP_PKCS11.properties file after the silent installation is complete.

Using Configuration File

To install CAKM for Oracle TDE silently:

1. Enter all the details in cakm_for_oracle_tde_basic.conf file.

2. Execute the following command:

   setup.exe /s /v"/qn CONFIGPATH=<path of cakm_for_oracle_tde_basic.conf file>"
   

Using Command Line Arguments

Execute the following command:

setup.exe /s /v"/qn SERVER_IP=<KM IP/Hostname> SERVER_PORT=<KM Port> SERVER_PROTOCOL=<ssl/tcp> NAE_USER=<KM Username> NAE_PASSWORD=<KM Password> PASSPHRASE=<Passphrase/Pin> COUNTRY=<Country> STATE=<State> CITY=<City> ORG=<Organisation> ORG_UNIT=<Organisation Unit> COMMON_NAME=<Comman Name EMAIL=<Email>"

where,

SERVER_IP: Key Management server IP address/Hostname

SERVER_PORT: Key Management server port number

SERVER_PROTOCOL: Connection protocol to server (ssl or tcp)

LOG_LEVEL: Log Level (NONE, ERROR, WARN, INFO)

The following information is needed only for ssl:

NAE_USER: Key Management server user for client certificate creation

NAE_PASSWORD: Key Management server user's password

PASSPHRASE: Passphrase to protect client private key

USER_CREDENTIALS_ENCRYPTED: User credentials are provided in encrypted format or not (Y/N)

COUNTRY: Country Code, for example, US limited to two letters

STATE: State, for example, California

CITY: City, for example, San Jose

ORG: Organization, for example, Thales

ORG_UNIT: Organizational Unit, for example, DIS

COMMON_NAME: Common Name, for example, hostname/IP address, Username

EMAIL: Email address

UPDATE_CONFIGURATION: Expected Y/N. Applicable to upgrade scenario only. In case of Y, new configurations will be applied and new certificate will be generated via installer (in case of ssl). In case of N, the existing configuration from the previous version installer will be retained. Default value is N.

For example:

setup.exe /s /v"/qn SERVER_IP=<cm_IP_address> SERVER_PORT=<NAE port> SERVER_PROTOCOL=ssl NAE_USER=<cm_user> NAE_PASSWORD=<cm_user_password> PASSPHRASE=xxxx COUNTRY=US STATE=California CITY=SJ ORG=Thales ORG_UNIT=DS COMMON_NAME=<CN for client certificate> EMAIL=abc@yy.zzz"

On successful installation, the message CAKM for Oracle TDE Installation is completed! is displayed. Credentials will be masked with asterisk (*) after successful installation in the basic conf file.

Sample

setup.exe /s /v"/qn SERVER_IP=<cm_IP_address> SERVER_PORT=9023 SERVER_PROTOCOL=ssl NAE_USER=<cm_user> NAE_PASSWORD=<cm_user_password> PASSPHRASE=xxxx COUNTRY=US STATE=California CITY=\"San Jose\" ORG=Thales ORG_UNIT=DIS COMMON_NAME=<CN for client certificate> EMAIL=abc@yy.zzz"

Now, you need to perform Post-installation Steps.

Post-installation Steps

1. Create a %SYSTEM_DRIVE%\oracle\extapi\<ARCH>\hsm\CipherTrust\CAKM_for_Oracle_TDE directory. Where %SYSTEM_DRIVE% is a drive on the database server (for example, C: or D:) and <ARCH> is the system architecture (either 32 or 64).

   This point onward, in this document, <ARCH> is used as 64. If the system architecture is different, adjust the value accordingly.

2. Copy the libcadp_pkcs11.dll file from C:\Program Files\CipherTrust\CAKM_for_Oracle_TDE to %SYSTEM_DRIVE%\oracle\extapi\64\hsm\CipherTrust\CAKM_for_Oracle_TDE.

After installing CAKM for Oracle TDE, you can further configure CAKM for Oracle TDE to meet the needs of your environment. Refer to the Configuring CAKM for Oracle TDE for details.