Opening the Wallet/Hardware Keystore
The security administrator must make the Vectera Plus accessible to the database before the Oracle database can perform any encryption or decryption. This is comparable to opening the Oracle wallet or logging in to the hardware keystore. The wallet/hardware keystore can be opened manually or automatically, but with the manual option, you must re-enable access to the HSM every time the database is restarted. Both methods are described below.
Run the following command to manually open the hardware keystore, making the HSM accessible:
You can disable access with the following command:
You must re-enable access to the HSM every time you restart the database instance with the manual option.
An auto-login wallet stores the hardware security module credentials in an auto-login software keystore. This configuration reduces the security of the system as a whole. However, this configuration supports unmanned or automated operations and is useful in deployments where automatic re-login of the hardware security module is necessary.
If the hardware keystore is open, close it with the following command:
If you have not migrated from a software keystore, create the software keystore with the hardware keystore password in the appropriate location (for example, /etc/ORACLE/WALLETS/orcl).
If you have migrated and are using an auto-login software keystore in a specific location (for example, /etc/ORACLE/WALLETS/HSM), create the software password keystore with the hardware keystore password from the auto-login keystore.
The location of the keystore for the ADMINISTER KEY MANAGEMENT merge statement does not need to be the location of the keystore in use.
Reconfigure the sqlnet.ora file and add the keystore location of the software keystore created in step 2 to the DIRECTORY setting of the ENCRYPTION_WALLET_LOCATION setting.
To make the change take effect, either re-connect to the database, or log out and then log back in again.
Open the software keystore.
The Software_Keystore_Password value needs to match the value set in step 2.
Add or update the secret in the software keystore.
The secret is the hardware security module password and the client is HSM_PASSWORD. HSM_ PASSWORD is an Oracle-defined client name that represents the HSM password as a secret in the software keystore.
Close the software keystore.
Create (or re-create) the auto-login keystore.
Update the sqlnet.ora file to use the hardware security module location.
At this stage, the hardware security module auto-login keystore will open automatically the next time that a TDE operation executes. To confirm that auto-login wallet is working, reboot the database then reconnect and run the following query:
If auto-login wallet was configured properly you will see the following output: