Database
Oracle Database TDE (12c)
Open the wallet or hardware keystore
1min
the security administrator must make the {{vectera}} accessible to the oracle database before it can perform any encryption or decryption this is similar to opening the oracle wallet or logging in to the hardware keystore you can open the wallet or hardware keystore manually or automatically, but the manual option requires you to re enable access to the hsm every time the database is restarted select one of the following methods and perform the instructions run the following command to manually open the hardware keystore, making the hsm accessible sql> alter system set encryption wallet open identified by "hsm identity password"; optionally, disable access with the following command sql> alter system set encryption wallet close identified by "hsm identity password"; you must re enable access to the hsm every time you restart the database instance with the manual option an auto login wallet stores the hsm credentials in an auto login software keystore this configuration reduces the system security, but it supports automated operations also, it helps with deployments that require the hsm to re login automatically if the hardware keystore is open, close it with the following command sql> administer key management set keystore close identified by "identity password"; if you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (for example, /etc/oracle/wallets/orcl ) sql> administer key management create keystore '/etc/oracle/wallets/orcl' identified by "software keystore password"; if you have migrated and are using an auto login software keystore in a specific location (for example, /etc/oracle/wallets/hsm ), create the software password keystore with the hardware keystore password from the auto login keystore sql> administer key management create keystore '/etc/oracle/wallets/orcl' identified by "software keystore password"; sql> administer key management merge keystore '/etc/oracle/wallets/hsm' example keystore path into existing keystore '/etc/oracle/wallets/hsm' example keystore location identified by "existing keystore password" with backup; the location of the keystore for the administer key management merge statement does not need to be the location of the keystore in use reconfigure the sqlnet ora file and add the keystore location of the software keystore created in step 2 to the directory setting of the encryption wallet location setting encryption wallet location= (source=(method=file)(method data= (directory=/etc/oracle/wallets/orcl))) to make the change take effect, either re connect to the database or log out and then log in again open the software keystore sql> administer key management set keystore open identified by "software keystore password"; the software keystore password value needs to match the value set in step 2 add or update the secret in the software keystore the secret is the hsm password, and the client is hsm password hsm password is an oracle defined client name representing the hsm password as a secret in the software keystore sql> administer key management add secret "hsm identity password" for client "hsm password" identified by "software keystore password" with backup; close the software keystore sql> administer key management set keystore close identified by "software keystore password"; create (or re create) the auto login keystore sql> administer key management create auto login keystore from keystore '/etc/oracle/wallets/orcl/hsm' keystore location identified by "software keystore password"; update the sqlnet ora file to use the hsm location encryption wallet location= (source=(method=hsm)(method data= (directory=/etc/oracle/wallets/orcl))) the hsm auto login keystore should open automatically the next time that a tde operation executes to confirm that the auto login wallet is working, reboot the database, reconnect, and run the following query sql> select status from v$encryption wallet where wrl type='hsm'; if auto login wallet was configured properly, you the following output displays status \ open