Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Administration

Integrating TDE with CipherTrust Manager on Oracle 19c/21c

search

Integrating TDE with CipherTrust Manager on Oracle 19c/21c

This section outlines the following steps to integrate TDE with the CipherTrust Manager on Oracle 19c/21c:

Configuring Keystore Location

After configuring CAKM for Oracle TDE library with Oracle TDE, you need to configure the keystore location.

In the pfile or spfile, set the software wallet location in the WALLET_ROOT parameter and wallet type in the TDE_CONFIGURATION parameter.

Configuring HSM Wallet

This section covers the following topics:

Configuring HSM Wallet on Fresh Setup

  1. Create wallet directory using the following commands:

    For Linux

    mkdir -p <software_wallet_location>
chown -R oracle:oinstall <software_wallet_location>

    For Windows

    Create the <software_wallet_location> directory manually.

    After creating the wallet location, provide Read, Write, and execute permissions on the <software_wallet_location> to Oracle user.

  2. Set WALLET_ROOT parameter in the spfile.

    sqlplus / as sysdba
ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;

  3. Restart the database.

    SHUTDOWN IMMEDIATE;
STARTUP;

  4. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=both;

  5. Check the existing wallets in the Oracle database. Initially, there will be no wallet. To verify this, execute the following command:

    COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    Output:

    WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
    HSMUNKNOWNCLOSED

    Note

    In following sample command, <cm_user:cm_user_password> represents the NAE user name and its password. NAE user name and password are case-sensitive. They must appear in double-quotes (" ") separated by a colon (:).
    NAE user specified in here is the owner of the encryption key created and stored on the CipherTrust Manager.
    The CipherTrust Manager GUI displays the generated master encryption key.

  6. Connect to the database as <oracle_db_user> and open the hardware security module (HSM) keystore.

    connect <oracle_db_user>/<oracle_db_user_password>;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";

  7. Set the HSM keystore TDE master encryption key.

    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>";

  8. Check the wallet status by executing the following query:

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    Output:

    WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
    HSMHSMOPEN

  9. While using Oracle RAC, repeat the steps from 1 to 6 on the other node(s).

For Column and Tablespace encryption, refer Tasks.

Configuring Manual HSM Wallet to Auto-Login HSM Wallet

After configuring Manual HSM wallet, you can enable Auto-Login. Auto-Login prevents the need to open the wallet each time you restart the database. To enable Auto-Login, follow the steps below:

  1. Create the directory for every database and permit the oracle user to access this directory.

    For Linux

    mkdir -p <software_wallet_location>
chown -R oracle:oinstall <software_wallet_location>

    For Windows

    Create the <software_wallet_location> directory manually.

    After creating the wallet location, provide Read, Write, and execute permissions on the <software_wallet_location> to Oracle user.

  2. Start new sql session and set WALLET_ROOT parameter in spfile.

    sqlplus / as sysdba
ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;

  3. Restart the database.

    SHUTDOWN IMMEDIATE;
STARTUP;

  4. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;

  5. Create the software keystore at the location provided in the spfile file.

    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  6. Open the software keystore.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";

  7. Reverse migrate the HSM Wallet to File Wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;

  8. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  9. Create Auto-Login.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  10. Restart database to enable Auto-Login.

    SHUTDOWN IMMEDIATE;
STARTUP;

  11. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  12. Migrate Auto-Login File Wallet to Auto-Login HSM Wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";

  13. Confirm HSM Auto-Login is now activated.

    SHUTDOWN IMMEDIATE;
STARTUP;
COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  14. Access the data from column encrypted table or tablespace encrypted tables.

    connect <oracle_db_user>/<oracle_db_user_password>;
SELECT * FROM EMPLOYEES;
SELECT * FROM CUSTOMERS;

  15. When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance(s) shutdown. After following the above steps copy the cwallet.sso and ewallet.p12 file from the configured node to all the other node(s) at the same <software_wallet_location> location. After copying cwallet.sso and ewallet.p12 on the other node(s), restart all the other RAC instance(s).

Configuring Manual HSM Wallet with PDB in United Mode

Note

Whenever you restart any of the databases, you must run alter pluggable command as shown below:

  • ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;

  • Do not configure HSM Auto-Login for CBD until you generate the master key for pluggable database (PDB) (All PDBs in case multiple PDBs are using TDE). After generating the master key for all PDBs, you can configure the CDB for Auto-Login and it will work for all PDBs as well.

  • To plug a PDB from one CDB to another, simply unplug the PDB from one Container and plug into another Container Database and open the wallet in PDB. It would start working.

To configure an HSM wallet with a PDB in United mode:

  1. Configure Keystore Location using the following command:

    sqlplus / as sysdba
ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;
shutdown immediate;
startup;
SHOW PARAMETER WALLET_ROOT;

  2. Open the PDB in read-write mode.

    ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;

  3. Grant the administrator privilege to pdbuser.

    GRANT ADMINISTER KEY MANAGEMENT TO <pdbuser>;
GRANT CREATE SESSION TO <pdbuser>;
GRANT CONNECT TO <pdbuser>;
COMMIT;

  4. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=both;
SHOW PARAMETER TDE_CONFIGURATION;

  5. Open the HSM wallet in CDB and PDB.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<ALL>;

  6. Set the HSM master encryption key in CDB and PDB.

    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<ALL>;

  7. Log into the targeted PDB and create encrypted tablespace and table.

    ALTER SESSION SET CONTAINER=<pdb_name>;
Connect <pdbuser>/<pdb_password>;

For Column and Tablespace encryption, refer Tasks.

Configuring Auto-login HSM Wallet with PDB

To enable Auto-Login with PDB, you need to enable Auto-Login in the container database only. Once you enable Auto-Login in CDB, it would automatically work for PDB. To configure Auto-Login in CDB, follow the below steps:

  1. Create the directory for every database and permit the oracle user to access this directory.

    mkdir -p <software_wallet_location>
chown -R oracle:oinstall <software_wallet_location>

  2. Set WALLET_ROOT to software location parameter in the spfile and restart the database.

    sqlplus / as sysdba
ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;
SHUTDOWN IMMEDIATE;
STARTUP;
ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;

  3. Set TDE_CONFIGURATION parameter in pfile and spfile.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;

  4. Create the software keystore at the location provided in the spfile.

    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  5. Open the software keystore.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" CONTAINER=<pdb_name>/<ALL>;

  6. Reverse migrate HSM Wallet to File Wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;

  7. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  8. Create Auto-Login.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  9. Restart the database.

    SHUTDOWN IMMEDIATE;
STARTUP;
ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;

  10. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  11. Migrate Auto-Login File Wallet to Auto-Login HSM Wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";

  12. Check the wallet status.

    SHUTDOWN IMMEDIATE;
STARTUP;
ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  13. Connect to the PDB.

    ALTER SESSION SET CONTAINER=<pdb_name>;
CONNECT <pdb_user>/<pdb_user_password>@<pdb_name>;

  14. Check the wallet status and access the data from the encrypted tablespace and tables.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
SELECT * FROM EMPLOYEES;
SELECT * FROM CUSTOMERS;

  15. When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance shutdown.

    After all the above steps are completed copy the cwallet.sso and ewallet.p12 file from the configured target node to all the other node(s) at the /tde location. After copying cwallet.sso and ewallet.p12, start all other RAC instance(s) and open the PDB.

    sqlplus / as sysdba
STARTUP;
ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;

Migrating from Software Wallet to HSM Wallet

This section covers the following topics:

Migrating Manual Software Wallet to HSM Wallet

You can migrate the already configured software-based wallet to HSM wallet. If you have a software wallet configured already, wallet information will look like below:

sqlplus / as sysdba
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

Output:

WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
FILE<software_wallet_location>PASSWORDOPEN

To migrate a software wallet to an HSM wallet:

  1. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  2. Run the command to migrate the key from the software wallet to the HSM wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>" with backup;

  3. When using Oracle RAC, it is recommended to perform all the above steps only on one target instance and have all the other RAC instance shutdown down.

    After all the above steps are completed copy the cwallet.sso and ewallet.p12 file from the configured target node to all the other node(s) at the /tde location. Restart all other RAC instance(s).

    sqlplus / as sysdba
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";

Migrating Manual Software Wallet to Auto-Login HSM Wallet

You can migrate the already configured manual software-based wallet to Auto-Login HSM wallet. If you have a software wallet configured already, wallet information will look like below:

  1. Check the wallet status:

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    Output:

    WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
    FILE<software_wallet_location>PASSWORDOPEN

  2. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD.

    HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  3. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  4. Restart the database and check the wallet status.

    SHUTDOWN IMMEDIATE;
STARTUP;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  5. Set TDE_CONFIGURATION parameter and verify.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
SHOW PARAMETER TDE_CONFIGURATION;

  6. Migrate the manual software wallet to Auto-Login HSM wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";

  7. Create new MEK on CM.

    ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<cm_user:cm_user_password>";

  8. Access the data from the encrypted tablespace and tables.

    connect <oracle_db_user>/<oracle_db_user_password>;
SELECT * FROM EMPLOYEES;
SELECT * FROM CUSTOMERS;

  9. When using Oracle RAC, after follwoing the above steps copy the cwallet.sso and ewallet.p12 file from the configured node to all the other node(s) at the same location. After copying cwallet.sso and ewallet.p12 on the other node(s), restart the database.

Migrating Auto-Login Software Wallet to Auto-Login HSM Wallet

You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Loginenabled HSM wallet. If you have a software wallet configured already, the content of the spfile file and wallet information will have the following structure:

WALLET_ROOT=<software_wallet_location>

Output:

WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
FILE<software_wallet_location>AUTOLOGINOPEN

  1. Rename or move the cwallet.sso file from the location specified above to any other location.

  2. Restart the database and open the software keystore.

    SHUTDOWN IMMEDIATE;
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";

  3. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.

    #!yaml
    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  1. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  2. Restart the database and check the wallet status.

    SHUTDOWN IMMEDIATE;
STARTUP;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  3. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  4. Migrate the Auto-Login software wallet to Auto-Login HSM wallet.

    connect <oracle_db_user>/<oracle_db_user_password>;
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";

  5. Create new MEK on CM.

    ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<cm_user:cm_user_password>";

  6. Access the data from the encrypted tablespace and tables.

    SELECT * FROM EMPLOYEES;
SELECT * FROM CUSTOMERS;

  7. When using Oracle RAC, after following the above steps copy the cwallet.sso and ewallet.p12 file from the configured node to all the other node(s) at the same location. After copying cwallet.sso and ewallet.p12 on the other node(s), restart the database.

Migrating Software Wallet to HSM Wallet in PDB

If you are using PDB with software wallet, you can migrate to an HSM wallet. Your spfile file and wallet status for both CDB and PDB will have the following structure:

CDB:

SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

Output:

WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
FILE<software_wallet_location>PASSWORDOPEN

PDB:

SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

Output:

WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
FILEPASSWORDOPEN

  1. Set TDE_CONFIGURATION parameter and verify.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
SHOW PARAMETER TDE_CONFIGURATION;

  2. Migrate both CDB and PDB to HSM wallet and set the encryption key.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>";
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<pdb_name>/<ALL>;

  3. Check the wallet status.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  4. Restart the database, login with CDB and open the wallet.

    Note

    After restarting any of the databases, you must run alter pluggable command as shown below:
    ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;

  5. Log on to the PDB and open the wallet. HSM wallet will open and retrieve the data from the encrypted tables.

  6. When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance shutdown down.

    After all the above steps are completed copy the cwallet.sso and ewallet.p12 file from the configured target node to all the other node(s) at the /tde location. Restart all other RAC instance(s) and open the PDB.

    sqlplus / as sysdba
STARTUP;
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>" CONTAINER=<pdb_name>/<ALL>;

Migrating Software Wallet to Auto-Login HSM Wallet with Isolated PDB

  1. Ensure that PDB database is in Isolated mode.

    SELECT KEYSTORE_MODE FROM V$ENCRYPTION_WALLET;

    Output:

    KEYSTORE
    ISOLATED

  2. Check the wallet status.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    Output:

    WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
    FILE/home/oracle/tde/PASSWORDOPEN
    FILE/home/oracle/tde/PASSWORDOPEN

  3. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD.

    HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  4. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  5. Restart the database and check the wallet status.

    SHUTDOWN IMMEDIATE;
STARTUP;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  6. Set TDE_CONFIGURATION parameter and verify.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
SHOW PARAMETER TDE_CONFIGURATION;

  7. Migrate the manual software wallet to Auto-Login HSM wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";

  8. Check the wallet status.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    Output:

    WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
    FILE/home/oracle/tde/AUTOLOGINOPEN
    FILEHSMOPEN

  9. Open the Isolated PDB in read-write mode.

    ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

  10. Connect to the Isolated PDB.

    ALTER SESSION SET CONTAINER = PDB19C;

  11. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD.

    HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user_1:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  12. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  13. Restart the database and check the wallet status.

    SHUTDOWN IMMEDIATE;
STARTUP;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  14. Set TDE_CONFIGURATION parameter and verify.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
SHOW PARAMETER TDE_CONFIGURATION;

  15. Migrate the manual software wallet to Auto-Login HSM wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user_1:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";

  16. Check the wallet status.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    Output:

    WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
    FILE/home/oracle/tde/AUTOLOGINOPEN
    FILEHSMOPEN

Migrating Auto-Login File Wallet with PDB to Auto-Login HSM Wallet with PDB

You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Login enabled HSM wallet. If you have a software wallet configured already, the content of the spfile file and wallet information will have the following structure:

WALLET_ROOT=<software_wallet_location>

Output:

WRL_TYPEWRL_PARAMETERWALLET_TYPESTATUS
FILE<software_wallet_location>AUTOLOGINOPEN

  1. Rename or move the cwallet.sso file from the location specified above to any other location.

  2. Restart the database and open the software keystore.

    SHUTDOWN IMMEDIATE;
STARTUP;
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;
show parameter WALLET_ROOT;

  3. Set the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
show parameter TDE_CONFIGURATION;

  4. Migrate the Software wallet to HSM wallet.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>" with backup;

  5. Check the wallet status.

    COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  6. (Optional) Set the master encryption key for the HSM keystore. 

    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" container=<pdb_name>/<ALL>;

  7. Closed the HSM keystore.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<cm_user:cm_user_password>";

  8. Set the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;

  9. Open keystore for all PDBs.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" container=<pdb_name>/<ALL>;

  10. Check the wallet status.

    COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  11. Add the secret to the software keystore. This secret is the HSM's password and the client is HSM_PASSWORD.

    HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.

    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;

  12. Create a new Auto-Login keystore using the password of the Oracle software wallet.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";

  13. Set the TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  14. Restart the database.

    shutdown immediate;
startup;

  15. Open the PDB in read-write mode.

    ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

  16. Check Wallet status.

    COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  17. Connect to the PDB.

    ALTER SESSION SET CONTAINER=<pdb_name>;

  18. Check Wallet status.

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

  19. (This step is applicable to Oracle RAC.) After running the above steps on the source node, perform the following steps on all the destination nodes.

    • Rename the existing cwallet.sso file.

    • Copy the cwallet.sso and ewallet.p12 file from the source node to the destination node in the cluster at the same location.

    • Restart the database on the destination node.

    • Open the PDB in Read-Write mode.

      ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

Migrating Back from HSM Wallet to Software Wallet

If you want to switch from an HSM keystore to a software keystore then you can use reverse migration of the keystore.

Note

It is recommended to keep the HSM. Earlier backup files may rely on TDE master encryption keys present in the HSM.

  1. Navigate to <software_wallet_location>/tde directory and rename the cwallet.sso file to cwallet_backup.sso.

  2. Set TDE_CONFIGURATION parameter.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;

  3. Log on to the database instance as a user who has been granted the ADMINISTER KEY MANAGEMENT or SYSKM privilege.

    sqlplus / as sysdba
GRANT ADMINISTER KEY MANAGEMENT to system;
commit;
Connect <oracle_db_user>/<oracle_db_user_password>;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";

  4. Run Reverse Migration command.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;

    After you complete the reverse migration, you do not need to restart the database or manually reopen the software keystore.

  5. When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance shutdown.

    After all the above steps are completed copy the cwallet.sso and ewallet.p12 file from the configured target node to all the other node(s) at the /tde location. Restart all other RAC instance(s) and open wallet.

    sqlplus / as sysdba
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<software_keystore_password>";

On this page