Integrating Oracle Data Guard with CipherTrust Manager on Oracle 19c
This section outlines the following steps to integrate TDE with the CipherTrust Manager on Oracle Data Guard 19c:
Migrating Back From Auto-login HSM Wallet To Manual Software Wallet
Configuring the Standby Database to Support the Primary with RMAN
Configuring the Standby Database to Support the Primary without RMAN
Prerequisites
Before you begin, ensure that:
The primary and standby machines with the database are up and running, and communication is established between them.
The CAKM for Oracle TDE is installed and configured on the primary and the standby machines.
Configuring Keystore Location
After configuring CAKM for Oracle TDE, you need to configure the keystore location.
Configuring HSM Wallet on Fresh Setup
Create wallet directory for CDB-Root and all PDBs using the following commands:
mkdir -p <software_wallet_location> chown -R oracle:oinstall <software_wallet_location>
After executing the above command, provide appropriate permission to
<software_wallet_location>
.Set
WALLET_ROOT
parameter in thespfile
and restart the database.sqlplus / as sysdba ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
Set
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=spfile;
Restart the database and grant the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege to the desired user (<oracle_database_user>
).sqlplus / as sysdba SHUTDOWN IMMEDIATE; STARTUP; GRANT ADMINISTER KEY MANAGEMENT TO <oracle_database_user>; COMMIT;
Check the existing wallets in the Oracle database. Initially, there will be no wallet. To verify this, execute the following command:
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS HSM UNKNOWN CLOSED In following sample command,
<cm_user:cm_user_password>
represents the NAE user name and its password. NAE user name and password are case-sensitive. They must appear in double-quotes (" ") separated by a colon (:).
NAE user specified in here is the owner of the encryption key created and stored on the CipherTrust Manager.
The CipherTrust Manager GUI displays the generated master encryption key.Connect to the database as
<oracle_database_user>
and open the hardware keystore.connect <oracle_database_user>/<oracle_database_user_password>; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
Set the hardware keystore TDE master encryption key.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>";
Check the wallet status using the following command:
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS HSM HSM OPEN
For Column and Tablespace encryption, refer Tasks.
Configuring Auto-login Wallet
After configuring Manual HSM wallet, you can enable auto-login. Auto-login prevents the need to open the wallet each time you restart the database. To enable auto-login, follow the steps below:
Create a directory for every database and permit the oracle user to access this directory.
mkdir -p <software_wallet_location> chown -R oracle:oinstall <software_wallet_location>
After executing the above command, provide appropriate permission to
<software_wallet_location>
.Start a new sql session and reset the
WALLET_ROOT
parameter inspfile
.sqlplus / as sysdba ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;
Restart the database.
SHUTDOWN IMMEDIATE; STARTUP;
Reset
TDE_CONFIGURATION
parameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=spfile;
In Oracle 19c, keystore is created by default in the location set in
WALLET_ROOT
environment variable in thepfile or spfile
file.Restart the database.
SHUTDOWN IMMEDIATE; STARTUP;
Create the software keystore at the location provided in the
spfile
file.ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Open the software keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Add the secret to the software keystore. This secret is the hardware security module's password and the client is
HSM_PASSWORD
.HSM_PASSWORD
is an oracle defined client name that represents the HSM password as a secret in the software keystore.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_passwordd>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
Enable auto-login.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Reset
TDE_CONFIGURATION
parameter and restart the database.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
Check the wallet status.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS FILE AUTOLOGIN OPEN_NO_MASTER_KEY HSM HSM OPEN Access the data from column or tablespace encrypted tables.
connect <oracle_database_user>/<oracle_database_user_password>; SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;
Migrating from Software Wallet to HSM Wallet
This section covers the following topics:
Migrating Manual Software Wallet to HSM Wallet
You can migrate the already configured software-based wallet to hardware-based wallet. If you have a software wallet configured already, wallet information will look like below:
sqlplus / as sysdba
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
---|---|---|---|
FILE | <software_wallet_location> | PASSWORD | OPEN |
To migrate a software wallet to an HSM wallet:
Set the software-based wallet's password as the HSM wallet's password.
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "<software_keystore_password>" SET "<cm_user:cm_user_password>" WITH BACKUP;
Set the
TDE_CONFIGURATION
parameter and restart the database.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
It is recommended to restart the database whenever you make any change in the
spfile
file.Run the command to migrate the key from the software wallet to the HSM wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<cm_user:cm_user_password>" with backup using 'migration_backup';
Migrating Manual Software Wallet to Auto-login HSM Wallet
You can migrate the already configured manual software-based wallet to auto-login hardware-based wallet. If you have a software wallet configured already, wallet information will look like below:
Check the wallet status:
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS FILE <software_wallet_location>
PASSWORD OPEN Add the secret to the software keystore. This secret is the hardware security module's password and the client is
HSM_PASSWORD
.HSM_PASSWORD
is an oracle defined client name that represents the HSM password as a secret in the software keystore.You must include the
<cm_user:cm_user_password>
andHSM_PASSWORD
in single quotes. It will not work if you do not do this.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create a new auto-login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Restart the database and check the wallet status.
SHUTDOWN IMMEDIATE; STARTUP; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Reset
TDE_CONFIGURATION
parameter. Restart the database and check the wallet status.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Migrate the manual software wallet to auto-login HSM wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
Access the data from the encrypted tablespace and tables.
connect <oracle_database_user>/<oracle_database_user_password>; SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;
Migrating Auto-login Software Wallet to Auto-login HSM Wallet
You can migrate the already configured auto-login software-based wallet to auto-login hardware-based wallet. If you have a software wallet configured already, the content of the spfile
file and wallet information will have the following structure:
WALLET_ROOT=<software_wallet_location>
Output:
WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
---|---|---|---|
FILE | <software_wallet_location> | AUTOLOGIN | OPEN |
Rename or move the
cwallet.sso
file from the location specified above to any other location.Restart the database and open the software keystore.
SHUTDOWN IMMEDIATE; STARTUP; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Add the secret to the software keystore. This secret is the hardware security module's password and the client is
HSM_PASSWORD
.HSM_PASSWORD
is an oracle defined client name that represents the HSM password as a secret in the software keystore.You must include the
<cm_user:cm_user_password>
andHSM_PASSWORD
in single quotes. It will not work if you do not do this.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create a new auto-login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Restart the database and check the wallet status.
SHUTDOWN IMMEDIATE; STARTUP; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Reset
TDE_CONFIGURATION
parameter and restart the database.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
Migrate the auto-login software wallet to auto-login HSM wallet.
connect <oracle_database_user>/<oracle_database_user_password>; ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
Access the data from the encrypted tablespace and tables.
SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;
Migrating Back From Auto-login HSM Wallet To Manual Software Wallet
Migrating Back From Auto-login HSM Wallet To Manual Software Wallet includes:
Migrating back to Manual Software Wallet on the Primary Database
Perform the following steps on the Primary Database:
Check Wallet status.
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS FILE /opt/software_wallet/tde/ AUTOLOGIN OPEN HSM HSM OPEN Navigate to
<software_wallet_location>/tde
directory and rename thecwallet.sso
file tocwallet_backup.sso
.Restart the Database.
SHUTDOWN IMMEDIATE; STARTUP;
Set TDE_CONFIGURATION parameter.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;
Open the Wallet.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Check Wallet status.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS FILE /opt/software_wallet/tde/ PASSWORD OPEN Run Reverse Migration command.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;
After performing the reverse migration steps, uninstall the provider and restart the database.
Migrating back to Manual Software Wallet on the Standby Database
Check Wallet status.
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS FILE /opt/software_wallet/tde/ AUTOLOGIN OPEN HSM HSM OPEN Go to
<software_wallet_location>/tde
directory and rename thecwallet.sso
file tocwallet_backup.sso
.Copy the
ewallet.p12
file from wallet directory of the primary database and paste it in the wallet directory of the standby database.Set TDE_CONFIGURATION parameter.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;
Restart the Database.
SHUTDOWN IMMEDIATE; STARTUP;
Now Configure the Standby Database to support the Primary
SHUTDOWN IMMEDIATE; STARTUP nomount pfile=/u01/initorcl.ora; exit rman TARGET <sys>/<sys_password>@<primary_sid> AUXILIARY <sys>/<sys_password>@<standby_sid> (RMAN>)Duplicate target database for standby from active database dorecover nofilenamecheck;
After performing the above steps, uninstall the provider and restart the database.
Open the Wallet.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Check Wallet status.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS FILE /opt/software_wallet/tde/ PASSWORD OPEN
Configuring the Standby Database to Support the Primary with RMAN
Create a wallet directory same as created in the primary database. Copy all the contents of the wallet directory from the primary database to the wallet directory on the standby database.
mkdir -p <software_wallet_location>/tde chown -R oracle:oinstall <software_wallet_location>/tde
After executing the above command, provide appropriate permission to
<software_wallet_location>
.To resume managed recovery, run the following commands:
shutdown immediate; startup nomount pfile=/u01/initorcl.ora; exit rman TARGET <sys>/<sys_password>@<primary_sid> AUXILIARY <sys>/<sys_password>@<standby_sid> RMAN> Duplicate target database for standby from active database dorecover nofilenamecheck;
The
pfile
mentioned in the above step has been moved from primary database to standby database during the Data Guard setup.When the standby database recovery is complete, the standby database can be opened in read-only mode to allow query access.
Set
WALLET_ROOT
parameter in thespfile
and restart the database.sqlplus / as sysdba SHUTDOWN IMMEDIATE; STARTUP; ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
Set
**TDE_CONFIGURATION**
parameter.For HSM Only Wallet:
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
For Other Wallets (HSM with Auto Wallet, Migrating from Software Wallet to HSM Wallet, Migrating Manual Software Wallet to Auto-login HSM Wallet, or Migrating Auto-login Software Wallet to Auto-login HSM Wallet):
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
Connect the database as system and execute query on your encrypted tablespace. For example, display the contents of the EMPLOYEES table.
For non auto-login, first open the keystore.
connect <oracle_database_user>/<oracle_database_user_password>; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
Configuring the Standby Database to Support the Primary without RMAN
Primary Node
Copy the
cwallet.sso
andewallet.sso
file from the source node to the destination node in the cluster at the same location.Switch the log file.
Alter system switch logfile;
Standby Node:
Set WALLET_ROOT parameter in the spfile and restart the database.
ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
Set
TDE_CONFIGURATION
parameter.For HSM Only Wallet:
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
For Other Wallets (HSM with Auto Wallet, Migrating from Software Wallet to HSM Wallet, Migrating Manual Software Wallet to Auto-login HSM Wallet, or Migrating Auto-login Software Wallet to Auto-login HSM Wallet):
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile; SHUTDOWN IMMEDIATE; STARTUP;
To resume the managed recovery process, run the following command:
ALTER DATABASE RECOVER MANAGED STANDBY DATABASE USING CURRENT LOGFILE DISCONNECT FROM SESSION;
This method will not replicate the tablespaces from primary to standby node.