Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Oracle Transparent Data Encryption (TDE)

Integrating TDE with CipherTrust Manager on Oracle 12c

search

Integrating TDE with CipherTrust Manager on Oracle 12c

This section covers the following topics:

Configuring HSM Wallets on Fresh Setup

After configuring SafeNet ProtectApp PKCS#11 library with Oracle TDE, the master key for TDE can be generated and stored on HSM.

Configuring Manual HSM Wallet‌

Before running the following steps, ensure that SafeNet ProtectApp PKCS#11 library is installed and the environment variables are exported.

On a new Oracle setup, if the sqlnet.ora file does not exist at the $ORACLE_HOME/network/admin(for Linux/UNIX/AIX/Solaris) and <path where Oracle is installed>/network/admin (for Windows), create a new sqlnet.ora file and set the keystore type as hardware. To set this, add the following to the sqlnet.ora file.

1
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM))
  1. Restart the database and grant the ADMINISTER KEY MANAGEMENT or SYSKM privilege to the desired user (<oracle_database_user>).

    1
    2
    3
    4
    5
    sqlplus / as sysdba
    SHUTDOWN IMMEDIATE;
    STARTUP;
    GRANT ADMINISTER KEY MANAGEMENT TO <oracle_database_user>;
    COMMIT;
    
  2. Check existing wallets in the Oracle database for their status (initially, the status will be closed). To verify this, execute the below command:

    1
    2
    3
    COLUMN WRL_PARAMETER FORMAT A50;
    SET LINES 200;
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    HSM UNKNOWN CLOSED

    In following sample command, <cm_user:cm_user_password> represents the NAE user name and its password. NAE user name and password are case-sensitive. They must appear in double-quotes (" ") separated by a colon (:).
    NAE user specified in here is the owner of the encryption key created and stored on the CipherTrust Manager.
    CipherTrust Manager GUI displays the generated master encryption key.

  3. Connect to the database as <oracle_database_user> and open the hardware keystore.

    1
    2
    connect <oracle_database_user>/<oracle_database_user_password>;
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
    
  4. Set the hardware keystore TDE master encryption key.

    1
    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>";
    
  5. Check the wallet status by running the below query.

    1
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    HSM HSM OPEN

For Column and Tablespace encryption, refer Tasks.

Configuring Auto-login Wallet‌

After configuring manual HSM wallet, you can enable auto-login. Auto-login prevents the need to open the wallet each time you restart the database. To enable auto-login, follow the steps below:

  1. Create the directory for every database and permit the oracle user to access this directory.

    1
    2
    mkdir -p <software_wallet_location>
    chown -R oracle:oinstall <software_wallet_location>
    

    After executing the above command, provide appropriate permission to <software_wallet_location>.

  2. Reconfigure the sqlnet.ora file. Add the keystore location and change the METHOD to FILE.

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))
    
  3. Restart the database and create a software keystore with the hardware keystore password at the location provided in the sqlnet.ora file.

    1
    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<software_wallet_location>' IDENTIFIED BY "<software_keystore_password>";
    
  4. Open the software keystore.

    1
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
    
  5. Add the secret in the software keystore. This secret is the hardware security module's password and the client is HSM_PASSWORD. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.

    1
    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
    
  6. Enable auto-login.

    1
    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<software_wallet_location>' IDENTIFIED BY "<software_keystore_password>";
    
  7. Update the sqlnet.ora file METHOD = FILE to METHOD = HSM.

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))
    
  8. Restart the database and check the wallet status.

    1
    2
    3
    4
    sqlplus / as sysdba
    SHUTDOWN IMMEDIATE;
    STARTUP;
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    FILE /etc/oracle/wallets/orcl AUTOLOGIN OPEN_NO_MASTER_KEY
    HSM HSM OPEN
  9. Connect to the database as <oracle_database_user> and access the data from the column encrypted table or tablespace encrypted tables.

    1
    2
    3
    connect <oracle_database_user>/<oracle_database_user_password>;
    SELECT * FROM EMPLOYEES;
    SELECT * FROM CUSTOMERS;
    

Configuring Manual HSM Wallet with PDB‌

After you have created a pluggable database using the DBCA utility, before you begin to configure HSM wallet with PDB, follow the below steps as prerequisites to configure the pluggable database.

  1. Set the hardware keystore type in the sqlnet.ora file.

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM))
    
  2. Edit the tnsnames.ora file to add a new service for the newly created PDB. By default, the tnsnames.ora file is located at the $ORACLE_HOME/network/admin(for Linux) and <path where Oracle is installed>/network/admin (for Windows), or at the location set by the TNS_ADMIN environment variable. Ensure that you have properly set the TNS_ADMIN environment variable to point to the correct sqlnet.ora file.

    For example:

    1
    2
    3
    4
    5
    6
    7
    8
    PDB2 =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = localhost.localdomain)(PORT = 1521))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = pdb2)
    )
    )
    
  3. Restart the listener service.

    1
    2
    lsnrctl stop
    lsnrctl start
    
  4. Start the sqlplus session and alter the pluggable database.

    1
    2
    3
    sqlplus / as sysdba
    ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
    ALTER SESSION SET CONTAINER=<pdb_name>;
    
  5. Grant the administrator privilege to pdb_user.

    1
    2
    3
    4
    5
    6
    7
    8
    GRANT ADMINISTER KEY MANAGEMENT TO <pdb_user>;
    GRANT CREATE SESSION TO <pdb_user>;
    GRANT CONNECT TO <pdb_user>;
    GRANT DBA TO <pdb_user>;
    GRANT CREATE ANY TABLE TO <pdb_user>;
    GRANT UNLIMITED TABLESPACE TO <pdb_user>;
    ALTER USER <pdb_user> PROFILE DEFAULT;
    COMMIT;
    
  6. Connect to the pluggable database as pdb_user.

    1
    Connect <pdb_user>/<pdb_user_password>@Pluggable_Database_Service_name;
    

Once you have successfully configured and provided the permissions to the pluggable database user. You can configure the HSM wallet with PDB. Follow the below steps to configure:

Make sure that keystore for CDB (root container) is opened and the master key is generated before opening the wallet and generating the master encryption in PDB.

  1. Connect to the container database (CDB) first.

    1
    connect <oracle_database_user>/<oracle_database_user_password>;
    
  2. Open the hardware keystore in the CDB database first.

    1
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
    
  3. Set the HSM master encryption in CDB.

    1
    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>";
    
  4. Connect to the pluggable database (PDB) and open the HSM keystore.

    1
    2
    CONNECT <pdb_user>/<pdb_user_password>@<pluggable_db>
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
    
  5. Set the master encryption key in PDB.

    1
    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>";
    

For Column and Tablespace encryption, refer Tasks.

Configuring Auto-login HSM Wallet with PDB‌

To enable auto-login with PDB, you need to enable auto-login in the container database only. Once you enable auto-login in CDB, it will automatically work for PDB.

To configure auto-login in CDB, follow the below steps:

  1. Connect to CDB and close the manually configured HSM wallet.

    1
    2
    connect <oracle_database_user>/<oracle_database_user_password>;
    ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<cm_user:cm_user_password>";
    
  2. Create the directory for every database and permit the oracle user to access this directory.

    1
    2
    mkdir -p <software_wallet_location>
    chown -R oracle:oinstall <software_wallet_location>
    

    After executing the above command, provide appropriate permission to <software_wallet_location>.

  3. Reconfigure the sqlnet.ora file. Add the keystore location and change the METHOD to FILE.

    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))

  4. Create a software keystore with the hardware keystore password at the location provided in the sqlnet.ora file.

    1
    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<software_wallet_location>' IDENTIFIED BY "<software_keystore_password>";
    
  5. Open the software keystore.

    1
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
    
  6. Add the secret in the software keystore. This secret is the hardware security module's password and the client is HSM_PASSWORD. HSM_PASSWORD is an Oracle defined client name that represents the HSM password as a secret in the software keystore.

    1
    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
    
  7. Enable auto-login.

    1
    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<software_wallet_location>' IDENTIFIED BY "<software_keystore_password>";
    
  8. Update the sqlnet.ora file to use the hardware security module.

    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))

  9. Restart the database and connect to the pluggable database.

    1
    2
    3
    4
    5
    SHUTDOWN IMMEDIATE;
    STARTUP;
    ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;
    ALTER SESSION SET CONTAINER=<pdb_name>;
    Connect <pdb_user>/<pdb_user_password>@Pluggable_Database_Service_name;
    
  10. Check the wallet status and access the data from the encrypted tablespace and tables.

    1
    2
    3
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    SELECT * FROM EMPLOYEES;
    SELECT * FROM CUSTOMERS;
    

    • Whenever you restart any of the databases, you must run alter pluggable command as shown below:
    alter pluggable database all open read write;
    • Do not configure HSM auto-login for CDB until you generate the master key for PDB (All PDBs in case multiple PDBs are using TDE). After generating the master key for all PDBs, you can configure the CDB for auto-login and it will work for all PDBs as well.
    • To plug a PDB from one CDB to another, simply unplug the PDB from one Container and plug into another Container Database and open the wallet in PDB. It would start working.

Migrating from Software Wallet to HSM Wallet

This section covers the following topics:

Migrating Manual Software Wallet to HSM Wallet‌‌

You can migrate an already configured software-based wallet to a hardware-based wallet. If you have a software wallet configured already, the content of the sqlnet.ora file and wallet information will look like the following:

1
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))

To migrate a software wallet to an HSM wallet:

  1. Check the wallet status:

    1
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    FILE /home/oracle/wallets/ORCL/ PASSWORD OPEN
  2. Set the password of the software keystore to the password of the hardware keystore:

    1
    ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "<software_keystore_password>" SET "<cm_user:cm_user_password>" WITH BACKUP [USING "<backup_identifier>"];
    
  3. Update the sqlnet.ora file to use the hardware security module.

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))`
    

    For AIX and Solaris systems, it is recommended to restart the database whenever you make any change in sqlnet.ora file.

  4. Run the command to migrate the key from software wallet to HSM wallet.

    1
    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>" with backup using 'migration_backup';
    
  5. Restart the database and open the keystore.

    1
    2
    3
    4
    Shutdown immediate;
    Startup;
    connect <oracle_database_user>/<oracle_database_user_password>;
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<cm_user:cm_user_password>";
    

A key is created on CipherTrust Manager. Try fetching the data from the encrypted column or encrypted tablespace.

Migrating Manual Software Wallet to Auto-login HSM Wallet‌

You can migrate an already configured software-based wallet to a Auto-login HSM Wallet. If you have a software wallet configured already, the content of the sqlnet.ora file and wallet information will look like the following:

1
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))
  1. Check the wallet status:

    1
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    FILE /home/oracle/wallets/ORCL/ PASSWORD OPEN
  2. Add the HSM secret as a client in the following format. The password is the same password set up for the Local software wallet.

    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not this.

    1
    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
    

    The secret is the hardware security module password and the client is the HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name that is used to represent the HSM password as a secret in the software keystore.

  3. Create a new auto-login keystore using the password of the Oracle software wallet.

    1
    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<software_wallet_location>' IDENTIFIED BY "<software_keystore_password>";
    
  4. Restart the database and check the wallet status.

    1
    2
    3
    shutdown immediate;
    startup;
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    
  5. In the sqlnet.ora file, change METHOD=FILE to METHOD=HSM.

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))
    
  6. Restart the database and check the wallet status.

    1
    2
    3
    shutdown immediate;
    startup;
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    
  7. Migrate the Oracle AUTO-LOGIN local file wallet to AUTO-LOGIN-HSM. With the current AUTO-LOGIN setup, the FORCE command is required, as shown below:

    1
    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
    
  8. Access the data from the encrypted tablespace and tables.

    1
    2
    3
    connect <oracle_database_user>/<oracle_database_user_password>;
    SELECT * FROM EMPLOYEES;
    SELECT * FROM CUSTOMERS;
    

Migrating Auto-login Software Wallet to Auto-login HSM Wallet‌

You can directly migrate an auto-login enabled software-based wallet to an auto-login enabled HSM wallet. If you have a software wallet configured already, the content of the sqlnet.ora file and wallet information will look like the following:

1
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))

To migrate from an auto-login software wallet to an auto-login HSM wallet:

  1. Check the wallet status:

    1
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    FILE /home/oracle/wallets/ORCL/ AUTOLOGIN OPEN
  2. Rename or move the cwallet.sso file from the location specified above to any other location.

  3. Restart the database and open the software keystore.

    1
    2
    3
    Shutdown immediate;
    Startup;
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
    
  4. Add the HSM secret as a client in the following format. The password is the same password set up for the Local software wallet.

    You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not this.

    1
    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
    

    The secret is the hardware security module password and the client is the HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name that is used to represent the HSM password as a secret in the software keystore.

  5. Create a new auto-login keystore using the password of the Oracle software wallet.

    1
    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<software_wallet_location>' IDENTIFIED BY "<software_keystore_password>";
    
  6. Restart the database and check the wallet status.

    1
    2
    3
    shutdown immediate;
    startup;
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    
  7. In the sqlnet.ora file, change METHOD=FILE to METHOD=HSM.

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))
    
  8. Restart the database.

    1
    2
    shutdown immediate;
    startup;
    
  9. Migrate the Oracle AUTO-LOGIN local file wallet to AUTO-LOGIN-HSM. With the current AUTO-LOGIN setup, the FORCE command is required, as shown below:

    1
    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";
    
  10. Access the data from the encrypted tablespace and tables.

    1
    2
    3
    Connect <oracle_database_user>/<oracle_database_user_password>;
    SELECT * FROM EMPLOYEES; (Column Encryption);
    SELECT * FROM CUSTOMERS; (Tablespace Encryption);
    

Migrating Software Wallet to HSM Wallet in PDB‌

If you are using PDB with a software wallet, you can migrate to a hardware-based HSM wallet. Your sqlnet.ora file will look like the following:

1
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))

To migrate a software wallet to an HSM wallet in PDB:

  1. Check the status of the CDB and PDB wallets:

    CDB

    1
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    FILE /home/oracle/wallets/ORCL/ PASSWORD OPEN

    PDB

    1
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    FILE PASSWORD OPEN
  2. Perform migration to HSM.

    Change the wallet password to same as the HSM password.

    1
    ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "<software_keystore_password> SET "<cm_user:cm_user_password>" WITH BACKUP [USING 'backup_identifier'];
    
  3. Change the method to HSM in sqlnet.ora file and then perform migration.

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))`
    
  4. Set the encryption key.

    1
    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING <software_keystore_password> [WITH BACKUP [USING 'backup_identifier']];
    
  5. Check the wallet status.

    1
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
    
  6. Restart the database, login with CDB and open the wallet.

    After restarting any of the databases, you must run alter pluggable command as shown below:
    ALTER PLUGGABLE DATABASE <pdb_name>/<ALL> OPEN READ WRITE;

  7. Log on to the pluggable database and open the wallet. HSM wallet will open and retrieve data from encrypted tables.

Migrating Back from HSM Wallet to Software Wallet

If you want to switch from a hardware keystore to a software keystore, you can use reverse migration of the keystore.

• It is recommended to keep the HSM. Earlier backup files may rely on TDE master encryption keys present in the HSM.
• To migrate back from an auto-login HSM wallet, remove the auto-login feature by renaming the .sso file. After that, follow the steps given below.

  1. Configure the sqlnet.ora file for reverse migration. Set the following in the sqlnet.ora file:

    1
    ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = <software_wallet_location>)))
    

    Replace path_to_keystore with the directory location of the destination keystore.

    Do not restart the machine or open a new SQL session at/after this point.

  2. Log on to the database as <oracle_database_user> who has the ADMINISTER KEY MANAGEMENT or SYSKM privilege.

    1
    2
    3
    4
    sqlplus / as sysdba
    GRANT ADMINISTER KEY MANAGEMENT to system;
    commit;
    connect <oracle_database_user>/<oracle_database_user_password>;
    
  3. Run the reverse migration command.

    1
    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" REVERSE MIGRATE USING "<cm_user:cm_user_password>" [WITH BACKUP [USING 'backup_ identifier']];
    
  4. (Optional) Change the file wallet password to remove the CipherTrust Manager user and its password.

    1
    ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY "<cm_user:cm_user_password>" SET "<software_keystore_password>" WITH BACKUP [USING 'backup_identifier'];
    

After you complete the migration, you do not need to restart the database or manually reopen the software keystore. The migration process automatically reloads the keystore keys in memory. The hardware keystore may still be required after reverse migration because the old keys are likely to have been used for encrypted backups or by tools such as Oracle Data Pump and Oracle Recovery Manager. You should cache the hardware keystore credentials in the keystore so that the HSM can be opened with the software keystore.