Configure Existing HSM Wallet with PDB

Perform the following steps to migrate your existing HSM wallet configured using VKM to CAKM for Oracle TDE.

Start the database and open the pluggable database (PDB) in read-write mode using the follwoing commands.

sqlplus / as sysdba
STARTUP;
COLUMN WRL_PARAMETER FORMAT A50;
SET LINES 200;
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

Output:

WRL_TYPE	WRL_PARAMETER	WALLET_TYPE	STATUS
HSM		UNKNOWN	CLOSED

Open the hardware keystore.
```
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<domain::cm_user:cm_user_password>" CONTAINER=ALL;
```
Note
In the command above, <domain::cm_user:cm_user_password> represents the domain, NAE user name, and its password. The domain, NAE user name, and password are case-sensitive. They must appear in double-quotes (" ") separated by a colon (:).
The NAE user specified here is the owner of the encryption key created and stored on the CipherTrust Manager.
You can view the generated master encryption key on the CipherTrust Manager GUI.
Check the wallet status by executing the following query. It should be in open state.
```
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
```
Output:
WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
HSM HSM OPEN
(This step is applicable for Oracle RAC.) Repeat the steps 1 and 2 on all the other node(s).

WRL_TYPE	WRL_PARAMETER	WALLET_TYPE	STATUS
HSM		HSM	OPEN

This completes the migration of your keystore from VKM to CAKM for Oracle TDE.

Configure Existing HSM Wallet with PDB

On this page

Suggest A Change