Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Oracle Transparent Data Encryption (TDE)

Installing and Configuring SafeNet ProtectApp PKCS#11 library

search

Installing and Configuring SafeNet ProtectApp PKCS#11 library

This chapter explains how to configure SafeNet ProtectApp PKCS#11 library with Oracle TDE on:

Configuring SafeNet ProtectApp PKCS#11 on Linux/Unix/AIX/Solaris

To configure SafeNet ProtectApp PKCS#11 library on Linux/Unix/AIX/Solaris, you need to perform the following steps:

Installing SafeNet ProtectApp PKCS#11 Library

  1. Download SafeNet ProtectApp PKCS#11 library from the Thales customer support site (https://supportportal.thalesgroup.com).

  2. Log on to the client as an Oracle user.

  3. Extract the file using any standard archive utility. For example, execute the following command:

    1
    tar -xzf <source_directory/tar_file_name> -C <destination_directory>
    
  4. Create a /opt/oracle/extapi/<ARCH>/hsm/safenet/<VERSION> directory. The Oracle user must have read and execute permissions on /opt/.

    <ARCH> is the system architecture (either 32 or 64), and <VERSION> is the software version number.

    From this point onward, in this document, <ARCH> is used as 64 and <VERSION> as 8.9.0. If the system architecture and version are different, adjust these values accordingly.

  5. Copy the library file libIngPKCS11.so-<PROVIDER_VERSION> from the extracted Ingrian_pkcs11-<PROVIDER_VERSION>/lib directory to the /opt/oracle/extapi/64/hsm/safenet/<PROVIDER_VERSION> directory. For example: $ cp libIngPKCS11.so-<PROVIDER_VERSION> /opt/oracle/extapi/64/hsm/safenet/<PROVIDER_VERSION>.

    The receiving directory is a fixed location. Oracle searches for this directory. It cannot be changed. Changing the directory name results in a "cannot find PKCS11 library" error.

  6. Copy the IngrianNAE.properties file from the extracted Ingrian_pkcs11-<PROVIDER_VERSION> directory to the /opt/oracle/extapi/64/hsm/safenet/<PROVIDER_VERSION> directory.

    For Example:

    $ cp IngrianNAE.properties /opt/oracle/extapi/64/hsm/safenet/<PROVIDER_VERSION>

  7. Rename libIngPKCS11.so-<PROVIDER_VERSION> as libIngPKCS11.so. For example: $ mv libIngPKCS11.so-<PROVIDER_VERSION> libIngPKCS11.so.

Configuring SafeNet ProtectApp PKCS#11 Library to Connect with CipherTrust Manager

To configure SafeNet ProtectApp PKCS#11 library to connect with CipherTrust Manager:

  1. Enter the following values in the IngrianNAE.properties file (placed at /opt/oracle/extapi/<ARCH>/hsm/safenet/<PROVIDER_VERSION>).

    • NAE_IP: IP address of the CipherTrust Manager.

    • NAE_Port: 9000 (default value)

    • Protocol: TCP/SSL.

      • If you want to use the SSL protocol, you need to configure SSL using the steps mentioned in the Setting up SSL/TLS section.
      • Create Oracle TDE authentication credentials using the steps mentioned in the Creating Oracle TDE Authentication Credentials section.

    • Log_Level: MEDIUM (default value, can be set to HIGH for troubleshooting)

    • Log_File: Full path and file name. The Oracle user must have write permissions on this path and file. A public location such as /tmp is recommended.

  2. Add/update environment variable for the Oracle user.

    Following step is applicable for all the operating systems except AIX and Solaris

    Make sure that the following environment variables are exported so that they are inherited by new Oracle server processes. Edit the shell profile. In many shells, the file is called .profile and is located in the home directory of the Oracle user.

    1
    2
    3
    4
    export SFNT_HSMAPI_BASE=/opt/oracle/extapi/<ARCH>/hsm/safenet/<PROVIDER_VERSION>
    export NAE_Properties_Conf_Filename=$SFNT_HSMAPI_ BASE/IngrianNAE.properties
    export IngrianNAE_Properties_Conf_Slot_ID_Max=100
    export IngrianNAE_Properties_Conf_SessionID_Max=100
    

    Following step is applicable for AIX and Solaris

    Add environment variables.

    AIX: Add the environment variable, LIBPATH, as follows:

    1
    2
    3
    4
    5
    export SFNT_HSMAPI_BASE=/opt/oracle/extapi/<ARCH>/hsm/safenet/<PROVIDER_VERSION>
    export NAE_Properties_Conf_Filename=$SFNT_HSMAPI_ BASE/IngrianNAE.properties
    export IngrianNAE_Properties_Conf_Slot_ID_Max=100
    export IngrianNAE_Properties_Conf_SessionID_Max=100
    export LIBPATH=/opt/oracle/extapi/<ARCH>/hsm/safenet/<PROVIDER_VERSION>:/home/oracle/Ingrian_pkcs11-<PROVIDER_VERSION>/samplelibs
    

    Solaris: Add the environment variable, LD_LIBRARY_PATH, as follows:

    1
    2
    3
    4
    5
    export SFNT_HSMAPI_BASE=/opt/oracle/extapi/<ARCH>/hsm/safenet/<PROVIDER_VERSION>
    export NAE_Properties_Conf_Filename=$SFNT_HSMAPI_ BASE/IngrianNAE.properties
    export IngrianNAE_Properties_Conf_Slot_ID_Max=100
    export IngrianNAE_Properties_Conf_SessionID_Max=100
    export LD_LIBRARY_PATH=/opt/oracle/extapi/<ARCH>/hsm/safenet/<PROVIDER_VERSION>:/home/oracle/Ingrian_pkcs11-<PROVIDER_VERSION>/samplelibs
    

    Here, samplelibs is provided in SafeNet ProtectApp PKCS#11 TDE package.

    Based on your system configuration, source any of the profiles (.profile and .bash_profile) after adding/updating the environment variable.

    Following step is applicable for all RAC setups

    The following environment variables are also set for the database using the setenv commands.

    1
    2
    3
    4
    srvctl setenv database –d <db_name> -env "NAE_Properties_Conf_Filename=/opt/oracle/extapi/<ARCH>/hsm/safenet/<PROVIDER_VERSION>/IngrianNAE.properties"
    srvctl setenv database –d <db_name> –env "IngrianNAE_Properties_Conf_SessionID_Max=100"
    srvctl setenv database –d <db_name> –env "IngrianNAE_Properties_Conf_Slot_ID_Max=100"
    srvctl setenv database –d <db_name> –env "ORACLE_UNQNAME=ORCL"
    

Configuring SafeNet ProtectApp PKCS#11 on Windows

To configure SafeNet ProtectApp PKCS#11 library on Windows, you need to perform the following steps:

Installing SafeNet ProtectApp PKCS#11 Library

To install SafeNet ProtectApp PKCS#11 library:

  1. Download SafeNet ProtectApp PKCS#11 library from the Thales customer support site (https://supportportal.gemalto.com).

  2. Unzip the file using any standard archive utility.

  3. Double-click the executable file to open the installation wizard.

  4. Walk through the wizard to complete the installation. This creates a SafeNet ProtectApp PKCS#11 directory at C:\Program Files\Ingrian\ location.

  5. Create a %SYSTEM_DRIVE%\oracle\extapi\<ARCH>\hsm\safenet\<VERSION> directory.

    Where %SYSTEM_DRIVE% is a drive on the database server (For example, C: or D:), <ARCH> is the system architecture (either 32 or 64), and <PROVIDER_VERSION> is the provider version number.

  6. Copy the ingPKCS11.dll file from C:\Program Files\Ingrian\PKCS11 to %SYSTEM_ DRIVE%\oracle\extapi\64\hsm\safenet\<PROVIDER_VERSION>.

  7. Copy the IngrianNAE.properties file from C:\Program Files\Ingrian\PKCS11 to %SYSTEM_DRIVE%\oracle\extapi\64\hsm\safenet\<PROVIDER_VERSION>.

  8. Update the location of the IngrianNAE.properties file in the registry. Set the value of HKEY_LOCAL_ MACHINE\SOFTWARE\Ingrian\NAE_Properties_Config\ConfigFileName to %SYSTEM_ DRIVE%\oracle\extapi\64\hsm\safenet\<PROVIDER_VERSION>\IngrianNAE.properties.

Configuring SafeNet ProtectApp PKCS#11 Library to Connect with CipherTrust Manager

To configure SafeNet ProtectApp PKCS#11 library to connect with CipherTrust Manager, enter the following values in the %SYSTEM_DRIVE%\oracle\extapi\<ARCH>\hsm\safenet\<PROVIDER_VERSION>\IngrianNAE.properties file:

  • NAE_IP: IP address of the CipherTrust Manager.

  • NAE_Port: 9000 (This is the default value).

  • Protocol: TCP/SSL

    • If you want to use the SSL protocol, you need to configure SSL using the steps mentioned in the Setting up SSL/TLS section.
    • Create Oracle TDE authentication credentials using the steps mentioned in the Creating Oracle TDE Authentication Credentials section.

  • Log_Level: MEDIUM (This is the default value, but can be set to HIGH for troubleshooting).

  • Log_File: Full path and file name. The Oracle user must have write permissions on this path and file.

Apart from the above mentioned mandatory parameters, you can further configure the SafeNet ProtectApp PKCS#11 Library to meet the needs of your environment. For more details, refer to the Configuring the Properties File section.

If you want to secure the credentials. Refer to the Securing Credentials section.