Configure Existing Auto-login HSM Wallet Migrated from Auto-login Software Wallet

Perform the following steps to migrate your existing Auto-login HSM wallet to CAKM for Oracle TDE that was once migrated from Auto-login Software wallet using VKM.

1. Rename or move the cwallet.sso file.

2. Start the database. Check the status of existing wallet in the Oracle database. Execute the following commands.

   sqlplus / as sysdba
   STARTUP;
   COLUMN WRL_PARAMETER FORMAT A50;
   SET LINES 200;
   SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
   

3. Verify whether you can open the hardware keystore using the MEK restored from DSM to the CipherTrust Manager.

   ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<domain::cm_user:cm_user_password>";
   

4. Check the wallet status by executing the following query. It should be in open state.

   SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
   

   Output:

   WRL_TYPE	WRL_PARAMETER	WALLET_TYPE	STATUS
   FILE		UNKNOWN	CLOSED
   HSM		HSM	OPEN

5. Close the HSM Wallet.

   ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<domain::cm_user:cm_user_password>";
   

6. Reset the TDE_CONFIGURATION parameter.

   ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;
   

7. Open the Software Wallet.

   ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
   

8. Add a secret for HSM. You can do it two ways.

   • Delete the previously set secret for VKM and add a new secret for CAKM for Oracle TDE.

     ADMINISTER KEY MANAGEMENT DELETE SECRET FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
     
     ADMINISTER KEY MANAGEMENT ADD SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
     

   • Update the previously set secret for VKM with secret for CAKM for Oracle TDE.

     ADMINISTER KEY MANAGEMENT UPDATE SECRET '<domain::cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
     

9. Create a new auto-login keystore using the password of the Oracle software wallet.

   ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
   

10. Reset the TDE_CONFIGURATION parameter and retart the database.

    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;
    SHUTDOWN IMMEDIATE;
    STARTUP;
    

11. Access the data from the encrypted tablespace.

    SELECT * FROM CUSTOMERS;
    

12. (This step is optional) Generate a new MEK with CAKM for Oracle TDE or continue to use the MEK restored on CipherTrust Manager backed up from DSM.

    ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<domain::cm_user:cm_user_password>";
    

13. (This step is applicable for Oracle RAC.) After running the above steps on the source node, run the following steps on all the destination node(s).

    • Rename the existing cwallet.sso file.

    • Copy the cwallet.sso file from the source node to the destination node in the cluster at the same location.

    • Restart the database on the destination node.

This completes the migration of your keystore from VKM to CAKM for Oracle TDE.