Integrating TDE with CipherTrust Manager on Oracle 19c Exadata
This section outlines the following steps to integrate TDE with the CipherTrust Manager on Oracle 19c Exadata:
Migrating from Software Wallet to HSM Wallet
Migrating Auto-Login Software Wallet to Auto-Login HSM Wallet
You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Loginenabled HSM wallet. If you have a software wallet configured already, the content of the spfile file and wallet information will have the following structure:
WALLET_ROOT=<software_wallet_location>
Output:
| WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
|---|---|---|---|
| FILE | <software_wallet_location> | AUTOLOGIN | OPEN |
Rename or move the
cwallet.ssofile from the location specified above to any other location.Restart the database and open the software keystore.
SHUTDOWN IMMEDIATE; STARTUP; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";Add the secret to the software keystore. This secret is the HSM's password and the client is
HSM_PASSWORD.HSM_PASSWORDis an oracle defined client name that represents the HSM password as a secret in the software keystore.
You must include the <cm_user:cm_user_password> and HSM_PASSWORD in single quotes. It will not work if you do not do this.
#!yaml
ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;
Create a new Auto-Login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";Restart the database and check the wallet status.
SHUTDOWN IMMEDIATE; STARTUP; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;Set
TDE_CONFIGURATIONparameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;Migrate the Auto-Login software wallet to Auto-Login HSM wallet.
connect <oracle_db_user>/<oracle_db_user_password>; ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" FORCE KEYSTORE MIGRATE USING "<software_keystore_password>";Create new MEK on CM.
ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<cm_user:cm_user_password>";Access the data from the encrypted tablespace and tables.
SELECT * FROM EMPLOYEES; SELECT * FROM CUSTOMERS;When using Oracle RAC, after following the above steps copy the
cwallet.ssofile from the configured node to all the other node(s) at the same location. After copyingcwallet.ssoon the other node(s), restart the database.
Migrating Auto-Login File Wallet with United PDB to Auto-Login HSM Wallet with United PDB
You can directly migrate a software-based Auto-Login enabled wallet to an Auto-Login enabled HSM wallet. If you have a software wallet configured already, the content of the spfile file and wallet information will have the following structure:
WALLET_ROOT=<software_wallet_location>
Output:
| WRL_TYPE | WRL_PARAMETER | WALLET_TYPE | STATUS |
|---|---|---|---|
| FILE | <software_wallet_location> | AUTOLOGIN | OPEN |
Rename or move the
cwallet.ssofile from the location specified above to any other location.Restart the database and open the software keystore.
SHUTDOWN IMMEDIATE; STARTUP; ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE; show parameter WALLET_ROOT;Set the
TDE_CONFIGURATIONparameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both; show parameter TDE_CONFIGURATION;Migrate the Software wallet to HSM wallet.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<cm_user:cm_user_password>" MIGRATE USING "<software_keystore_password>" with backup;Check the wallet status.
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;(Optional) Set the master encryption key for the HSM keystore.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<cm_user:cm_user_password>" container=<pdb_name>/<ALL>;Closed the HSM keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<cm_user:cm_user_password>";Set the
TDE_CONFIGURATIONparameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;Open all PDBs.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>" container=<pdb_name>/<ALL>;Check the wallet status.
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;Add the secret to the software keystore. This secret is the HSM's password and the client is
HSM_PASSWORD.HSM_PASSWORDis an oracle defined client name that represents the HSM password as a secret in the software keystore.You must include the
<cm_user:cm_user_password>andHSM_PASSWORDin single quotes. It will not work if you do not do this.ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" with backup;Create a new Auto-Login keystore using the password of the Oracle software wallet.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";Set the
TDE_CONFIGURATIONparameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=both;Restart the database.
shutdown immediate; startup;Open the PDB in read-write mode.
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;Check Wallet status.
COLUMN WRL_PARAMETER FORMAT A50; SET LINES 200; SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;Connect to the PDB.
ALTER SESSION SET CONTAINER=<pdb_name>;Check Wallet status.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;(This step is applicable to Oracle RAC.) After running the above steps on the source node, perform the following steps on all the destination nodes.
Rename the existing cwallet.sso file.
Copy the cwallet.sso file from the source node to the destination node in the cluster at the same location.
Restart the database on the destination node.
Open the PDB in Read-Write mode.
ALTER PLUGGABLE DATABASE ALL OPEN READ WRITE;
Migrating Back from HSM Wallet to Software Wallet
If you want to switch from an HSM keystore to a software keystore then you can use reverse migration of the keystore.
Note
It is recommended to keep the HSM. Earlier backup files may rely on TDE master encryption keys present in the HSM.
Navigate to
<software_wallet_location>/tdedirectory and rename thecwallet.ssofile tocwallet_backup.sso.Set
TDE_CONFIGURATIONparameter.ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE|HSM" scope=both;Log on to the database instance as a user who has been granted the
ADMINISTER KEY MANAGEMENTorSYSKMprivilege.sqlplus / as sysdba GRANT ADMINISTER KEY MANAGEMENT to system; commit; Connect <oracle_db_user>/<oracle_db_user_password>; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";Run Reverse Migration command.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "<software_keystore_password>" reverse migrate using "<cm_user:cm_user_password>" with backup;After you complete the reverse migration, you do not need to restart the database or manually reopen the software keystore.
When using Oracle RAC, perform all the above steps only on one target instance and have all the other RAC instance shutdown.
After all the above steps are completed copy the ewallet.p12 file from the configured target node to all the other node(s) at the
/tde location. Restart all other RAC instance(s) and open wallet. sqlplus / as sysdba STARTUP; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>"; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<software_keystore_password>";
