Setting up IBM Security Guardium Key Lifecycle Manager configuration file for Oracle TDE
To configure Oracle TDE, on the Oracle database host, create a IBM® Security Guardium® Key Lifecycle Manager configuration file that contains the server parameters.
The configuration file must be in the .cfg
format. It must be kept at a location
that is accessible to the Oracle system user.
In the configuration file, specify the following parameters:
Parameter | Description | Example values |
---|---|---|
envSettings |
Specify the IBM Global Security Kit (GSKit) environment variables. By default TLSv1.2 protocol is enabled. | "GSK_PROTOCOL_TLSV12": "GSK_TRUE", "GSK_PROTOCOL_SSLV2":
"GSK_PROTOCOL_SSLV2_OFF", "GSK_PROTOCOL_SSLV3":
"GSK_PROTOCOL_SSLV3_OFF" |
hosts |
Specify the hostname or IP address of the IBM Security Guardium Key Lifecycle Manager server. For a Multi-Master or replication setup, specify the hostnames or IP addresses of all the servers in the setup in comma-separated format. |
For standalone setup: "hosts": "host1" For a Multi-Master or replication
setup: |
kdb |
Specifies the path to the keystore. | |
label |
Specifies the label of the certificate that is presented as the client certificate from the keystore. | |
ports |
Specifies the KMIP port number for key serving. For a Multi-Master or replication setup,
specify the KMIP port for all the servers in the setup in comma-separated format. The sequence in
which you specify the ports must match with the sequence in which the hostnames or IP addresses are
specified in the |
For standalone setup: "ports": "port1" For a Multi-Master or replication
setup: |
verbose |
Specifies whether to print all statements on the console while running the IBM Security Guardium Key Lifecycle ManagerPKCS #11 library. |
true |
trace |
Specifies the IBM Global Security Kit (GSKit) trace settings. | true |
traceLevel |
Specifies the IBM Global Security Kit (GSKit) trace level. | 5 |
tracefile |
The path and filename of the IBM Global Security Kit (GSKit) trace file to which the traces are recorded. | |
dbgLevel |
Specifies whether to enable IBM Security Guardium Key Lifecycle Manager
debug logging. If it is set to 1 or any positive number, debug statements are logged. If it is set to 0 or nothing, no debug statements are logged. |
1 |
logname |
Path and filename of the log file to which the IBM Security Guardium Key Lifecycle Manager debug logs are recorded. | |
appendLog |
Specifies whether to append the IBM Security Guardium Key Lifecycle Manager logs to an existing log file or overwrite the log file after a specified time. | true |
A sample configuration file:
{
"envSettings": {
"GSK_PROTOCOL_TLSV12": "GSK_TRUE",
"GSK_PROTOCOL_SSLV2": "GSK_PROTOCOL_SSLV2_OFF",
"GSK_PROTOCOL_SSLV3": "GSK_PROTOCOL_SSLV3_OFF"
},
"hosts": "host1,host2",
"isTLS": true,
"kdb": "/home/oracle/TDE/gklm.kdb",
"label": "gklmclient",
"ports": "5696,5696",
"stashed": true,
"verbose": true,
"trace": true,
"traceLevel": 5,
"tracefile": "/tmp/gklm.trc",
"dbgLevel": 1,
"logname": "/home/oracle/adaptor.log",
"appendLog": true
}