Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Migration Tasks

Configure Existing Auto-login HSM Wallet Migrated from Auto-login Software Wallet with PDB

search

Configure Existing Auto-login HSM Wallet Migrated from Auto-login Software Wallet with PDB

Perform the following steps to migrate your existing Auto-login HSM wallet to CAKM for Oracle TDE that was once migrated from Auto-login Software wallet using VKM.

  1. Rename or move the cwallet.sso file.

  2. Start the database. Check the status of existing wallet in the Oracle database. Execute the following commands.

    sqlplus / as sysdba
STARTUP;
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

  3. Verify whether you can open the hardware keystore using the MEK restored from DSM to the CipherTrust Manager.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<domain::cm_user:cm_user_password>" CONTAINER=ALL;

  4. Close the hardware keystore.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<domain::cm_user:cm_user_password>" CONTAINER=ALL;

  5. Reset the TDE_CONFIGURATION parameter and restart the database.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;

  6. Open the software keystore.

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" CONTAINER=ALL;;

  7. Add a secret for HSM. You can do it two ways.

    • Delete the previously set secret for VKM and add a new secret for CAKM for Oracle TDE.

      ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
ADMINISTER KEY MANAGEMENT ADD SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;

    • Update the previously set secret for VKM with secret for CAKM for Oracle TDE.

      ADMINISTER KEY MANAGEMENT UPDATE SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;

  8. Create a new auto-login keystore using the password of the Oracle software wallet. Execute the following commands.

    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;

  9. Restart the database.

    SHUTDOWN IMMEDIATE;
STARTUP;

  10. Open the pluggable database (PDB) in Read-Write mode.

    ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

  11. Access the data from the encrypted tablespace.

    SELECT * FROM CUSTOMERS;

  12. (This step is applicable to Oracle RAC.) After running the above steps on the source node, perform the following steps on all the destination nodes.

    1. Rename the existing cwallet.sso file.

    2. Copy the cwallet.sso file from the source node to the destination node in the cluster at the same location.

    3. Restart the database on the destination node.

    4. Open the pluggable database (PDB) in Read-Write mode.

      ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;

This completes the migration of your keystore from VKM to CAKM for Oracle TDE.

On this page