Update/Change HSM Keystore
This section helps you to update/change HSM Keystore for:
For Manual HSM wallet
Perform the following steps to update/change HSM Keystore for Manual HSM wallet:
- Open the Manual HSM wallet using the following command:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "domain::cm_user:cm_user_password";
For AutoLogin HSM Wallet
Perform the following steps to update/change HSM Keystore for AutoLogin HSM wallet:
Rename or move the
cwallet.sso
file.Restart the database. Check the status of existing wallet in the Oracle database and execute the following commands.
sqlplus / as sysdba SHUTDOWN IMMEDIATE; STARTUP; COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Reset the TDE_CONFIGURATION parameter.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;
Open the Software wallet.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
Add a secret for HSM. You can do it in two ways:
Deleting the previously set secret and adding a new secret for CAKM for Oracle TDE.
ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP; ADMINISTER KEY MANAGEMENT ADD SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
Updating the previously set secret with the secret for CAKM for Oracle TDE.
ADMINISTER KEY MANAGEMENT UPDATE SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
Create a new auto-login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
Reset the TDE_CONFIGURATION parameter and retart the database.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both; SHUTDOWN IMMEDIATE; STARTUP;
(This step is applicable for Oracle RAC.) After running the above steps on the source node, run the following steps on all the destination node(s).
Rename the existing
cwallet.sso
file.Copy the
cwallet.sso
file from the source node to the destination node in the cluster at the same location.Restart the database on the destination node.