Integrating TDE with CipherTrust Manager on Oracle 19c Exadata Cloud@Customer (ExaCC) in Data Guard Setup
This section outlines the following steps to integrate TDE with the CipherTrust Manager on Oracle 19c Exadata:
Configuring Auto-Login HSM Wallet on Fresh Setup
Create Auto-Login HSM wallet on a fresh machine.
dbaascli database create --tdeConfigMethod EXTERNAL_HSM --dbname <database name> --oracleHome <ORACLE_HOME>
Verify the status of HSM wallet.
dbaascli database getDetails --dbname <database name>
Output
{ …………………… "tdeDetails" : { "tdeKeystoreType" : "EXTERNAL_HSM", "keyVersionOcid" : null, "tdeMasterKeyId" : "<key id>", "walletRootEnabled" : true, "walletLocation" : "<path of the wallet>" }
Migrating from Software Wallet to HSM Wallet
Migrating Auto-Login Software Wallet to Auto-Login HSM Wallet
Perform the following steps to migrate a software-based Auto-Login enabled wallet to an Auto-Login enabled HSM wallet:
On the primary node, execute the following:
dbaascli tde FileToHSM --dbname <database name> --hsmKeystoreConfigType EXTERNAL_HSM
On the standby node, execute the following:
dbaascli tde FileToHSM --dbname <database name> --hsmKeystoreConfigType EXTERNAL_HSM --primarySuc True
Rotate the master encryption key.
dbaascli tde rotateMasterKey --dbname <database name> --rotateMasterKeyOnAllPDBs
Note
Enter Software wallet password to rotate the key
Migrating Auto-Login Software Wallet with United PDB to Auto-Login HSM Wallet with United PDB
Perform the following steps to migrate a software-based Auto-Login enabled wallet to an Auto-Login enabled HSM wallet:
On the primary node, execute the following:
dbaascli tde FileToHSM --dbname <database name> --hsmKeystoreConfigType EXTERNAL_HSM
On the standby node, execute the following:
dbaascli tde FileToHSM --dbname <database name> --hsmKeystoreConfigType EXTERNAL_HSM --primarySuc True
Rotate the master encryption key
dbaascli tde rotateMasterKey --dbname <database name> --rotateMasterKeyOnAllPDBs
Note
Enter Software wallet password to rotate the key
Migrating back from Auto-login HSM Wallet to Auto login Software Wallet
On the primary node, execute the following:
dbaascli tde hsmToFile --dbname <database name> --hsmKeystoreConfigType EXTERNAL_HSM
On the standby node, execute the following:
dbaascli tde hsmToFile --dbname <database name> --primarySuc true --standbyBlobFromPrimary /var/opt/oracle/log/reg_tmp_files/<database backup>.tar
Note
Validated the functionality of CAKM for Oracle TDE Use Cases on Oracle 19C Exadata Cloud@Customer (EXACC) User Interface within the Data Guard setup. For more information, click here.