Setting up IBM Security Guardium Key Lifecycle Manager configuration file for Oracle TDE

To configure Oracle TDE, on the Oracle database host, create a IBM® Security Guardium® Key Lifecycle Manager configuration file that contains the server parameters.

The configuration file must be in the .cfg format. It must be kept at a location that is accessible to the Oracle system user.

In the configuration file, specify the following parameters:

Parameter Description Example values
envSettings Specify the IBM Global Security Kit (GSKit) environment variables. By default TLSv1.2 protocol is enabled. "GSK_PROTOCOL_TLSV12": "GSK_TRUE", "GSK_PROTOCOL_SSLV2": "GSK_PROTOCOL_SSLV2_OFF", "GSK_PROTOCOL_SSLV3": "GSK_PROTOCOL_SSLV3_OFF"
hosts Specify the hostname or IP address of the IBM Security Guardium Key Lifecycle Manager server.

For a Multi-Master or replication setup, specify the hostnames or IP addresses of all the servers in the setup in comma-separated format.

For standalone setup: "hosts": "host1"

For a Multi-Master or replication setup: "hosts": "host1,host2"

kdb Specifies the path to the keystore.  
label Specifies the label of the certificate that is presented as the client certificate from the keystore.  
ports Specifies the KMIP port number for key serving.

For a Multi-Master or replication setup, specify the KMIP port for all the servers in the setup in comma-separated format. The sequence in which you specify the ports must match with the sequence in which the hostnames or IP addresses are specified in the hosts parameter.

For standalone setup: "ports": "port1"

For a Multi-Master or replication setup: "hosts": "port1,port2"

verbose

Specifies whether to print all statements on the console while running the IBM Security Guardium Key Lifecycle ManagerPKCS #11 library.

true
trace Specifies the IBM Global Security Kit (GSKit) trace settings. true
traceLevel Specifies the IBM Global Security Kit (GSKit) trace level. 5
tracefile The path and filename of the IBM Global Security Kit (GSKit) trace file to which the traces are recorded.  
dbgLevel Specifies whether to enable IBM Security Guardium Key Lifecycle Manager debug logging.

If it is set to 1 or any positive number, debug statements are logged. If it is set to 0 or nothing, no debug statements are logged.

1
logname Path and filename of the log file to which the IBM Security Guardium Key Lifecycle Manager debug logs are recorded.  
appendLog Specifies whether to append the IBM Security Guardium Key Lifecycle Manager logs to an existing log file or overwrite the log file after a specified time. true

A sample configuration file:

{
    "envSettings": {
                "GSK_PROTOCOL_TLSV12": "GSK_TRUE",
                "GSK_PROTOCOL_SSLV2": "GSK_PROTOCOL_SSLV2_OFF",
                "GSK_PROTOCOL_SSLV3": "GSK_PROTOCOL_SSLV3_OFF"
    },
    "hosts": "host1,host2",
    "isTLS": true,
    "kdb": "/home/oracle/TDE/gklm.kdb",
    "label": "gklmclient",
    "ports": "5696,5696",
    "stashed": true,
    "verbose": true,
    "trace": true,
    "traceLevel": 5,
    "tracefile": "/tmp/gklm.trc",
    "dbgLevel": 1,
    "logname": "/home/oracle/adaptor.log",
    "appendLog": true
}