Database
Oracle Database TDE (19c)
Opening the wallet or hardware keystore
1min
the security administrator must make the {{vectera}} accessible to the database before oracle tde can perform any encryption or decryption this is comparable to opening the oracle wallet or logging in to the hardware keystore you can open the wallet or hardware keystore manually or automatically, but the manual option requires you to re enable access to the hsm every time the database is restarted select one of the following methods and perform the instructions run the following command to manually open the hardware keystore, making the hsm accessible sql> alter system set encryption wallet open identified by "hsm identity password"; optionally, disable access with the following command sql> alter system set encryption wallet close identified by "hsm identity password"; you must re enable access to the hsm every time you restart the database instance with the manual option an auto login wallet stores the hsm credentials in an auto login software keystore this configuration reduces the system security, but it supports unmanned or automated operations also, it helps with deployments that require the hsm to re login automatically create the c \wallet\tde directory path set the wallet root parameter to the wallets directory created in the first step sql> alter system set wallet root = 'c \wallet\tde' scope=spfile; set the tde configuration parameter to file for the keystore configuration sql> alter system set tde configuration="keystore configuration=file" scope=spfile; stop and restart the database after setting the wallet root and tde configuration parameters sql> shutdown immediate; sql> startup; if you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (such as c \wallets\tde ) sql> administer key management create keystore identified by "software keystore password"; set the software keystore password value to any password you choose open the new software keystore with the following command sql> administer key management set keystore open identified by "software keystore password"; add the secret to the software keystore the secret is the hsm identity password, and the client is hsm password hsm password is an oracle defined client name representing the hsm password as a secret in the software keystore sql> administer key management add secret 'hsm identity password' for client 'hsm password' identified by "software keystore password" with backup; you must provide the secret and hsm password values within single quotes, or the command fails create a new auto login keystore by using the password of the oracle software wallet sql> administer key management create auto login keystore from keystore identified by "software keystore password"; reset the tde configuration parameter to hsm|file for the keystore configuration sql> alter system set tde configuration = 'keystore configuration=hsm|file' scope=spfile; stop and restart the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; at this stage, the hardware security module auto login keystore opens automatically the next time a tde operation executes to confirm that the auto login wallet is working, run the following query sql> select wrl type, wrl parameter, wallet type, status from v$encryption wallet; if the auto login wallet was configured properly, the following output appears wrl type | wrl parameter | wallet type | status \ + + + file | c \wallet\tde\tde\ | autologin | open no master key hsm | | hsm | open an auto login wallet stores the hsm credentials in an auto login software keystore this configuration reduces the system security, but it supports unmanned or automated operations also, it helps with deployments that require the hsm to re login automatically create the /etc/oracle/wallets/tde directory path by using the mkdir command $ sudo mkdir p /etc/oracle/wallets/tde change ownership of the /etc/oracle directory to the oracle user $ chown r oracle\ oinstall /etc/oracle set the wallet root parameter to the wallets directory created in the first step sql> alter system set wallet root = '/etc/oracle/wallets' scope=spfile; set the tde configuration parameter to file for the keystore configuration sql> alter system set tde configuration="keystore configuration=file" scope=spfile; stop and restart the database after setting the wallet root and tde configuration parameters sql> shutdown immediate; sql> startup; if you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (such as /etc/oracle/wallets/tde ) sql> administer key management create keystore identified by "software keystore password"; set the software keystore password value to any password you choose open the new software keystore with the following command sql> administer key management set keystore open identified by "software keystore password"; add the secret to the software keystore the secret is the hsm identity password, and client is hsm password hsm password is an oracle defined client name representing the hsm password as a secret in the software keystore sql> administer key management add secret 'hsm identity password' for client 'hsm password' identified by "software keystore password" with backup; you must provide the secret and hsm password values within single quotes, or the command fails create a new auto login keystore by using the password of the oracle software wallet sql> administer key management create auto login keystore from keystore identified by "software keystore password"; reset the tde configuration parameter to hsm|file for the keystore configuration sql> alter system set tde configuration = 'keystore configuration=hsm|file' scope=spfile; stop and restart the database after setting the tde configuration parameter sql> shutdown immediate; sql> startup; at this stage, the hardware security module auto login keystore opens automatically the next time a tde operation executes to confirm that the auto login wallet is working, run the following query sql> select wrl type, wrl parameter, wallet type, status from v$encryption wallet; if the auto login wallet was configured properly, the following output appears wrl type | wrl parameter | wallet type | status \ + + + file | /etc/oracle/wallets/tde/ | autologin | open no master key hsm | | hsm | open