Instructions to manually or automatically open the Oracle wallet or hardware keystore for HSM access.
The security administrator must make the Vectera Plus accessible to the Oracle database before performing any encryption or decryption. This is similar to opening the Oracle wallet or logging in to the hardware keystore. You can open the wallet or hardware keystore manually or automatically, but the manual option requires you to re-enable access to the HSM every time the database is restarted.Select one of the following methods and perform the instructions:
Perform the following steps to use the automatic method:
An auto-login wallet stores the HSM credentials in an auto-login software keystore. This configuration reduces the system security, but it supports automated operations. Additionally, it facilitates deployments that require the HSM to log in again automatically.
1
If the hardware keystore is open, close it with the following command:
Sql
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Identity_Password";
2
If you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (for example, /etc/ORACLE/WALLETS/orcl).
Sql
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl'IDENTIFIED BY "Software_Keystore_Password";
3
If you have migrated and are using an auto-login software keystore in a specific location (for example, /etc/ORACLE/WALLETS/HSM), create the software password keystore with the hardware keystore password from the auto-login keystore.
Sql
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY "Software_Keystore_Password";SQL> ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/etc/ORACLE/WALLETS/HSM' -- Example keystore pathINTO EXISTING KEYSTORE '/etc/ORACLE/WALLETS/HSM' -- Example keystore locationIDENTIFIED BY "Existing_Keystore_Password" WITH BACKUP;
The location of the keystore for the ADMINISTER KEY MANAGEMENT merge statement does not need to be the location of the keystore in use.
4
Reconfigure the sqlnet.ora file and add the keystore location of the software keystore created in step 2 to the DIRECTORY setting of the ENCRYPTION_WALLET_LOCATION setting.
To make the change take effect, either reconnect to the database or log out and then log in again.
6
Open the software keystore.
Sql
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
The Software\Keystore\Password value needs to match the value set in step 2.
7
Add or update the secret in the software keystore.The SECRET is the HSM password, and the client is HSM_PASSWORD.HSM_PASSWORD is an Oracle-defined client name representing the HSM password as a secret in the software keystore.
Sql
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET "HSM_Identity_Password"FOR CLIENT "HSM_PASSWORD" IDENTIFIED BY "Software_Keystore_Password"WITH BACKUP;
8
Close the software keystore.
Sql
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Software_Keystore_Password";
9
Create (or re-create) the auto-login keystore.
Sql
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/etc/ORACLE/WALLETS/orcl/hsm' -- Keystore locationIDENTIFIED BY "Software_Keystore_Password";
10
Update the sqlnet.ora file to use the HSM location.
