You can configure IBM Security Guardium Key Lifecycle Manager with
Oracle TDE as an external security module
to manage the TDE master key.
Before you begin
- Ensure that Oracle is installed on either Linux x86_64 or Windows x86_64 operating systems.
- Download the IBM Security Guardium Key Lifecycle Manager PKCS #11 library to
the system where Oracle is installed.
- Log in to the IBM Security Guardium Key Lifecycle Manager graphical user
interface.
- In the header bar, click the Help icon. On the menu that is displayed,
click Get GKLM P11 Library. The
GKLM_P11_lib
compressed file
is downloaded.
- Extract the
GKLM_P11_lib
file. Go to the PKCS_Lib
folder.
The PKCS_Lib
folder contains the files for IBM Security Guardium Key Lifecycle Manager PKCS #11, IBM Global Security Kit (GSKit) 8
Crypt, and IBM Global Security Kit (GSKit) 8 SSL for Linux x86 and Windows x86 operating
systems.
- Install IBM Global Security Kit (GSKit) 8 Crypt and IBM Global Security Kit (GSKit) 8 SSL
libraries that you extracted previously.
- Windows
-
- Extract the IBM Global Security Kit (GSKit)
.msi
files.
- Double-click the IBM Global Security Kit (GSKit) installation file.
- On the confirmation box that is displayed, click Run.
- Follow the instructions on the installation wizard. A confirmation message is displayed on the
wizard when the installation is complete.
- Click Finish to exit the wizard. By default, IBM Global Security Kit
(GSKit) 8 is installed at this location:
C:\Program Files\IBM\gsk8\
.
- To run the IBM Global Security Kit (GSKit) 8 commands, add the
bin
path
(C:\Program Files\IBM\gsk8\bin
) to the PATH environment
variable.
- Linux
-
- Run the following command:
rpm -ivh FILE_NAME
For
example,
rpm -ivh gskcrypt64-8.0.55.29.linux.x86_64.rpm
FILE_NAME
is the name of the IBM Global Security Kit (GSKit) .rpm
file.
By default, IBM
Global Security Kit (GSKit) 8 is installed at this location:
/usr/local/ibm/gsk8_64/
.
About this task
IBM Security Guardium Key Lifecycle Manager is configured with Oracle TDE as an external security module or a
software keystore.
The configuration process includes the following high-level steps:
- Set up secure communication between Oracle TDE and IBM Security Guardium Key Lifecycle Manager.
- Set the external keystore type.
- Configure the keystore.
- Set the password for the client in IBM Security Guardium Key Lifecycle Manager.
- Open the keystore.
- Set the keystore TDE master encryption key.
- Verify the configuration.
Procedure
- Set up secure communication between Oracle TDE and IBM Security Guardium Key Lifecycle Manager.
- Log in to the system where Oracle is installed as the Oracle system
user.
- Open a command line.
- Create a keystore in the KDB format.
gsk8capicmd_64 -keydb -create -db KEYSTORE_NAME -stash
Where, KEYSTORE_NAME is the name of the keystore.
gsk8capicmd_64 -keydb -create -db gklm.kdb -stash
A keystore in the .kdb
format is created. Ensure that the
Oracle system user has access to this keystore file.
- Create a certificate in the keystore.
The following command is for
self-signed certificate:
gsk8capicmd_64 -cert -create -db KEYSTORE_NAME -dn "CN=COMMON_NAME,O=ORGANIZATION,OU=ORGANIZATIONAL_UNIT" -label GKLM_CERTIFICATE_LABEL -size 2048 -expire 300
Where,
- KEYSTORE_NAME is the keystore name.
- COMMON_NAME is a unique identifier for the certificate.
- ORGANIZATION is the organization name.
- ORGANIZATIONAL_UNIT is the organizational unit.
- GKLM_CERTIFICATE_LABEL is the certificate label.
gsk8capicmd_64 -cert -create -db gklm.kdb -dn "CN=gklmclient,O=ibm,OU=abc" -label gklmclient -size 2048 -expire 300
- Export the certificate.
gsk8capicmd_64 -cert -extract -db KEYSTORE_NAME -label GKLM_CERTIFICATE_LABEL -stashed -file GKLM_CLIENT_CERT.cer -format ascii
Where,
- KEYSTORE_NAME is the keystore name.
- GKLM_CERTIFICATE_LABEL is the certificate label.
- GKLM_CLIENT_CERT is the name of the file to which the certificate is
exported.
For example,
gsk8capicmd_64 -cert -extract -db gklm.kdb -label gklmclient -stashed -file clientcert.cer -format ascii
- Log in to the IBM Security Guardium Key Lifecycle Manager server and import the certificate that you
exported as a client certificate. For steps, see Importing a client device certificate. When
you import the client certificate, select Allow the server to trust this certificate and
communicate with the associated client device to trust the certificate.
Enter a client name when prompted. When the certificate is successfully imported,
a client is created with the name that you specified. To view this client, go to the Clients page of
IBM Security Guardium Key Lifecycle Manager graphical user
interface.
- Export a IBM Security Guardium Key Lifecycle Manager server
certificate. For instructions, see Downloading a server certificate.
- Log in to the Oracle system and import the IBM Security Guardium Key Lifecycle Manager key serving certificate to the KDB
keystore.
gsk8capicmd_64 -cert -add -db KEYSTORE_NAME -file GKLM_SERVER_CERT -format ascii -label gklmserver -stashed
Where,
- KEYSTORE_NAME is the keystore name.
- GKLM_CERTIFICATE_LABEL is the certificate label.
- GKLM_SERVER_CERT is the name of IBM Security Guardium Key Lifecycle Manager server certificate.
gsk8capicmd_64 -cert -add -db gklm.kdb -file ssl.cer -format ascii -label gklmserver -stashed
- Create the IBM Security Guardium Key Lifecycle Manager configuration
file in the
.cfg
format. For more information, see Setting up IBM Security Guardium Key Lifecycle Manager configuration file for Oracle TDE. The .cfg
file must
be kept at a location that is accessible to the Oracle system user.
- Set an environment variable for the Oracle system user in the operating system for the
IBM Security Guardium Key Lifecycle Manager configuration file.
export GKLM_PKCS11_CFG_FILE=GKLM_CONFIG_FILE_PATH
Where, GKLM_CONFIG_FILE_PATH is the path to the IBM Security Guardium Key Lifecycle Manager configuration file.
export GKLM_PKCS11_CFG_FILE=/home/oracle/gklm.cfg
- Set the external keystore type. For instructions, see the Configuring a Hardware Keystore
topic in the Oracle documentation for your Oracle version. For example, to set the external keystore
type in Oracle 21c, refer to Configure the External Keystore for United Mode.
- To configure the external security module, copy the
GKLM P11
library to
the following location.
- Windows
%SYSTEM_DRIVE%\oracle\extapi\64\hsm\{VENDOR}\{VERSION}\libapiname.dll
For
example,C:\oracle\extapi\64\hsm\gklm\1.0\gklmp11.dll
- Linux and AIX
/opt/oracle/extapi/64/hsm/{VENDOR}/{VERSION}/libapiname.so
For
example,/opt/oracle/extapi/64/hsm/gklm/1.0/gklmp11.so
Where,
64
specifies that the supplied binary 64 bits.
- VENDOR is the name of the vendor supplying the library.
- VERSION is the version of the library. Preferably, this can be in the format,
number.number.number.
- apiname requires no special format. However, the apiname
must be prefixed with the word
lib
, as illustrated in the syntax.
- Log in to the IBM Security Guardium Key Lifecycle Manager server. Run the following REST service to set the password for the client that you created in
step 1.f
.
PUT/SKLM/rest/v1/deviceGroupAttributes
{
"name": "CLIENT_NAME",
"attributes": "deviceTypePKCS11PWD PASSWORD"
}
Where,
- CLIENT_NAME is the client name that you specified when you imported the
client certificate in
step 1.f
.
- PASSWORD is the password that you want to set for this client.
PUT/SKLM/rest/v1/deviceGroupAttributes
{
"name": "ORACLE",
"attributes": "deviceTypePKCS11PWD GKLM@oracle123"
}
- Log in to the Oracle system and open a command line. Open the keystore.
To
open the keystore, use the
ADMINISTER KEY MANAGEMENT
statement with the
SET
KEYSTORE OPEN
clause.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "PASSWORD";
For
example,
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "GKLM@oracle123";
Where,
PASSWORD is the password that you set in step
4
.
- Set the TDE master encryption key.
Note: Ensure that the database is open in READ WRITE
mode.
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "PASSWORD";
For
example,
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "GKLM@oracle123";
Where,
PASSWORD
is the password that you set in step 4
.
- Verify whether Oracle TDE is
configured.
Run the following query:
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
V$ENCRYPTION_WALLET
displays the status information of the wallet and the wallet
location for Oracle TDE.
If Oracle TDE is successfully
configured, the STATUS
value shows as OPEN
.