Manual option
If using the manual option, you must run the following OPEN command to access the CryptoHub every time you restart the database instance.Run the following command to open the hardware keystore manually, thus making the CryptoHub accessible:
Sql
You must re-enable access to the CryptoHub every time you restart the database instance, if using the manual option.
Automatic option
Choose one of the following operating systems to use the automatic option:An auto-login wallet stores the credentials for the CryptoHub identity in an auto-login software keystore. This configuration reduces the security of the system as a whole; however, this configuration supports unmanned or automated operations and is useful in deployments where automatic re-login to the CryptoHub is necessary.
Linux
Perform the following steps to use the automatic option in Linux:Run the following command to change ownership of the
/etc/ORACLE directory to the Oracle user:Shell
Run the following command to set the WALLET_ROOT parameter to the
WALLETS directory created in the first step:Sql
Run the following command to set the TDE_CONFIGURATION parameter to FILE for the KEYSTORE_CONFIGURATION:
Sql
Run the following command to stop and start the database after setting the WALLET_ROOT and TDE_CONFIGURATION parameters:
Sql
If you have not migrated from a software keystore, run the following command to create the software keystore with the hardware keystore password (any password you choose) in the appropriate location (such as
/etc/ORACLE/WALLETS/tde):Sql
Run the following command to add the secret to the software keystore. The secret is the CryptoHub identity password, and client is HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name representing the HSM password as a secret in the software keystore.You must provide the secret and HSM_PASSWORD values within single quotes or the command fails.
Sql
Run the following command to create a new auto-login keystore by using the password of the Oracle software wallet:
Sql
Run the following command to reset the TDE_CONFIGURATION parameter to HSM|FILE for the KEYSTORE_CONFIGURATION:
Sql
Windows
Perform the following steps to use the automatic option in Windows:Run the following command to set the WALLET_ROOT parameter to the
WALLETS directory created in the first step:Sql
Run the following command to set the TDE_CONFIGURATION parameter to FILE for the KEYSTORE_CONFIGURATION:
Sql
Run the following command to stop and start the database after setting the WALLET_ROOT and TDE_CONFIGURATION parameters:
Sql
If you have not migrated from a software keystore, run the following command to create the software keystore with the hardware keystore password (any password you choose) in the appropriate location (such as
C:\WALLETS\tde):Sql
Run the following command to add the secret to the software keystore. The secret is the CryptoHub identity password, and client is HSM_PASSWORD. HSM_PASSWORD is an Oracle-defined client name that represents the HSM password as a secret in the software keystore.You must provide the secret and HSM_PASSWORD values within single quotes, or the command fails.
Sql
Run the following command to create a new auto-login keystore by using the password of the Oracle software wallet:
Sql
Run the following command to reset the TDE_CONFIGURATION parameter to HSM|FILE for the KEYSTORE_CONFIGURATION:
Sql