Open the wallet or hardware keystore

1min
The security administrator must make the  accessible to the Oracle database before it can perform any encryption or decryption. This is similar to opening the Oracle wallet or logging in to the hardware keystore. You can open the wallet or hardware keystore manually or automatically, but the manual option requires you to re-enable access to the HSM every time the database is restarted.
Select one of the following methods and perform the instructions:
Manual
Automatic
1
Run the following command to manually open the hardware keystore, making the HSM accessible:
SQL
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "HSM_Identity_Password";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "HSM_Identity_Password";
﻿
2
Optionally, disable access with the following command:
SQL
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "HSM_Identity_Password";
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "HSM_Identity_Password";
﻿
You must re-enable access to the HSM every time you restart the database instance with the manual option.
An auto-login wallet stores the HSM credentials in an auto-login software keystore. This configuration reduces the system security, but it supports automated operations. Also, it helps with deployments that require the HSM to re-login automatically.
1
If the hardware keystore is open, close it with the following command:
SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Identity_Password";
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Identity_Password";
﻿
2
If you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (for example, /etc/ORACLE/WALLETS/orcl).
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' 
IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' 
IDENTIFIED BY "Software_Keystore_Password";
﻿
3
If you have migrated and are using an auto-login software keystore in a specific location (for example, /etc/ORACLE/WALLETS/HSM), create the software password keystore with the hardware keystore password from the auto-login keystore.
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY "Software_Keystore_Password";

SQL> ADMINISTER KEY MANAGEMENT 
MERGE KEYSTORE '/etc/ORACLE/WALLETS/HSM' -- Example keystore path
INTO EXISTING KEYSTORE '/etc/ORACLE/WALLETS/HSM' -- Example keystore location
IDENTIFIED BY "Existing_Keystore_Password" WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY "Software_Keystore_Password";

SQL> ADMINISTER KEY MANAGEMENT 
MERGE KEYSTORE '/etc/ORACLE/WALLETS/HSM' -- Example keystore path
INTO EXISTING KEYSTORE '/etc/ORACLE/WALLETS/HSM' -- Example keystore location
IDENTIFIED BY "Existing_Keystore_Password" WITH BACKUP;
﻿
The location of the keystore for the ADMINISTER KEY MANAGEMENT merge statement does not need to be the location of the keystore in use.
4
Reconfigure the sqlnet.ora file and add the keystore location of the software keystore created in step 2 to the DIRECTORY setting of the ENCRYPTION_WALLET_LOCATION setting.
SQL
ENCRYPTION_WALLET_LOCATION=
 (SOURCE=(METHOD=FILE)(METHOD_DATA=
   (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))
ENCRYPTION_WALLET_LOCATION=
 (SOURCE=(METHOD=FILE)(METHOD_DATA=
   (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))
﻿
5
To make the change take effect, either re-connect to the database or log out and then log in again.
6
Open the software keystore.
SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Software_Keystore_Password";
﻿
The Software_Keystore_Password value needs to match the value set in step 2.
7
Add or update the secret in the software keystore.
The SECRET is the HSM password, and the client is HSM_PASSWORD. 
HSM_PASSWORD is an Oracle-defined client name representing the HSM password as a secret in the software keystore.
SQL
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET "HSM_Identity_Password" 
FOR CLIENT "HSM_PASSWORD" IDENTIFIED BY "Software_Keystore_Password" 
WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET "HSM_Identity_Password" 
FOR CLIENT "HSM_PASSWORD" IDENTIFIED BY "Software_Keystore_Password" 
WITH BACKUP;
﻿
8
Close the software keystore.
SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Software_Keystore_Password";
﻿
9
Create (or re-create) the auto-login keystore.
SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE 
FROM KEYSTORE '/etc/ORACLE/WALLETS/orcl/hsm' -- Keystore location
IDENTIFIED BY "Software_Keystore_Password";
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE 
FROM KEYSTORE '/etc/ORACLE/WALLETS/orcl/hsm' -- Keystore location
IDENTIFIED BY "Software_Keystore_Password";
﻿
10
Update the sqlnet.ora file to use the HSM location.
SQL
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=HSM)(METHOD_DATA=
    (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=HSM)(METHOD_DATA=
    (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))
﻿
The HSM auto-login keystore should open automatically the next time that a TDE operation executes.
11
To confirm that the auto-login wallet is working, reboot the database, reconnect, and run the following query:
SQL
SQL> select status from v$encryption_wallet where wrl_type='HSM';
SQL> select status from v$encryption_wallet where wrl_type='HSM';
﻿
If auto-login wallet was configured properly, you the following output displays:
SQL
STATUS 
------------------------------ 
OPEN
STATUS 
------------------------------ 
OPEN
﻿
﻿
Updated 28 Aug 2024
Did this page help you?
Generate a TDE Master Encryption Key on the Vectera Plus
Oracle Database TDE (19c)