Configuring Oracle Transparent Data Encryption (TDE)

You can configure IBM® Security Guardium® Key Lifecycle Manager with Oracle TDE as an external security module to manage the TDE master key.

Before you begin

  • Ensure that Oracle is installed on either Linux x86_64 or Windows x86_64 operating systems.
  • Download the IBM Security Guardium Key Lifecycle Manager PKCS #11 library to the system where Oracle is installed.
    1. Log in to the IBM Security Guardium Key Lifecycle Manager graphical user interface.
    2. In the header bar, click the Help icon. On the menu that is displayed, click Get GKLM P11 Library. The GKLM_P11_lib compressed file is downloaded.
    3. Extract the GKLM_P11_lib file. Go to the PKCS_Lib folder.

      The PKCS_Lib folder contains the files for IBM Security Guardium Key Lifecycle Manager PKCS #11, IBM Global Security Kit (GSKit) 8 Crypt, and IBM Global Security Kit (GSKit) 8 SSL for Linux x86 and Windows x86 operating systems.

  • Install IBM Global Security Kit (GSKit) 8 Crypt and IBM Global Security Kit (GSKit) 8 SSL libraries that you extracted previously.
    Windows
    1. Extract the IBM Global Security Kit (GSKit) .msi files.
    2. Double-click the IBM Global Security Kit (GSKit) installation file.
    3. On the confirmation box that is displayed, click Run.
    4. Follow the instructions on the installation wizard. A confirmation message is displayed on the wizard when the installation is complete.
    5. Click Finish to exit the wizard. By default, IBM Global Security Kit (GSKit) 8 is installed at this location: C:\Program Files\IBM\gsk8\.
    6. To run the IBM Global Security Kit (GSKit) 8 commands, add the bin path (C:\Program Files\IBM\gsk8\bin) to the PATH environment variable.
    Linux
    1. Run the following command:
      rpm -ivh FILE_NAME

      For example,

      rpm -ivh gskcrypt64-8.0.55.29.linux.x86_64.rpm

      FILE_NAME is the name of the IBM Global Security Kit (GSKit) .rpm file.

      By default, IBM Global Security Kit (GSKit) 8 is installed at this location: /usr/local/ibm/gsk8_64/.

About this task

IBM Security Guardium Key Lifecycle Manager is configured with Oracle TDE as an external security module or a software keystore.

The configuration process includes the following high-level steps:
  1. Set up secure communication between Oracle TDE and IBM Security Guardium Key Lifecycle Manager.
  2. Set the external keystore type.
  3. Configure the keystore.
  4. Set the password for the client in IBM Security Guardium Key Lifecycle Manager.
  5. Open the keystore.
  6. Set the keystore TDE master encryption key.
  7. Verify the configuration.

Procedure

  1. Set up secure communication between Oracle TDE and IBM Security Guardium Key Lifecycle Manager.
    1. Log in to the system where Oracle is installed as the Oracle system user.
    2. Open a command line.
    3. Create a keystore in the KDB format.
      gsk8capicmd_64 -keydb -create -db KEYSTORE_NAME -stash

      Where, KEYSTORE_NAME is the name of the keystore.

      gsk8capicmd_64 -keydb -create -db gklm.kdb -stash
      A keystore in the .kdb format is created. Ensure that the Oracle system user has access to this keystore file.
    4. Create a certificate in the keystore.
      The following command is for self-signed certificate:
      gsk8capicmd_64 -cert -create -db KEYSTORE_NAME -dn "CN=COMMON_NAME,O=ORGANIZATION,OU=ORGANIZATIONAL_UNIT" -label GKLM_CERTIFICATE_LABEL -size 2048 -expire 300
      Where,
      • KEYSTORE_NAME is the keystore name.
      • COMMON_NAME is a unique identifier for the certificate.
      • ORGANIZATION is the organization name.
      • ORGANIZATIONAL_UNIT is the organizational unit.
      • GKLM_CERTIFICATE_LABEL is the certificate label.
      gsk8capicmd_64 -cert -create -db gklm.kdb -dn "CN=gklmclient,O=ibm,OU=abc" -label gklmclient -size 2048 -expire 300
    5. Export the certificate.
      gsk8capicmd_64 -cert -extract -db KEYSTORE_NAME -label GKLM_CERTIFICATE_LABEL -stashed -file GKLM_CLIENT_CERT.cer -format ascii
      Where,
      • KEYSTORE_NAME is the keystore name.
      • GKLM_CERTIFICATE_LABEL is the certificate label.
      • GKLM_CLIENT_CERT is the name of the file to which the certificate is exported.
      For example,
      gsk8capicmd_64 -cert -extract -db gklm.kdb -label gklmclient -stashed -file clientcert.cer -format ascii
    6. Log in to the IBM Security Guardium Key Lifecycle Manager server and import the certificate that you exported as a client certificate. For steps, see Importing a client device certificate. When you import the client certificate, select Allow the server to trust this certificate and communicate with the associated client device to trust the certificate.
      Enter a client name when prompted. When the certificate is successfully imported, a client is created with the name that you specified. To view this client, go to the Clients page of IBM Security Guardium Key Lifecycle Manager graphical user interface.
    7. Export a IBM Security Guardium Key Lifecycle Manager server certificate. For instructions, see Downloading a server certificate.
    8. Log in to the Oracle system and import the IBM Security Guardium Key Lifecycle Manager key serving certificate to the KDB keystore.
      gsk8capicmd_64 -cert -add -db KEYSTORE_NAME -file GKLM_SERVER_CERT -format ascii -label gklmserver -stashed
      Where,
      • KEYSTORE_NAME is the keystore name.
      • GKLM_CERTIFICATE_LABEL is the certificate label.
      • GKLM_SERVER_CERT is the name of IBM Security Guardium Key Lifecycle Manager server certificate.
      gsk8capicmd_64 -cert -add -db gklm.kdb -file ssl.cer -format ascii -label gklmserver -stashed
    9. Create the IBM Security Guardium Key Lifecycle Manager configuration file in the .cfg format. For more information, see Setting up IBM Security Guardium Key Lifecycle Manager configuration file for Oracle TDE.
      The .cfg file must be kept at a location that is accessible to the Oracle system user.
    10. Set an environment variable for the Oracle system user in the operating system for the IBM Security Guardium Key Lifecycle Manager configuration file.
      export GKLM_PKCS11_CFG_FILE=GKLM_CONFIG_FILE_PATH

      Where, GKLM_CONFIG_FILE_PATH is the path to the IBM Security Guardium Key Lifecycle Manager configuration file.

      export GKLM_PKCS11_CFG_FILE=/home/oracle/gklm.cfg
  2. Set the external keystore type. For instructions, see the Configuring a Hardware Keystore topic in the Oracle documentation for your Oracle version. For example, to set the external keystore type in Oracle 21c, refer to Configure the External Keystore for United Mode.
  3. To configure the external security module, copy the GKLM P11 library to the following location.
    Windows
    %SYSTEM_DRIVE%\oracle\extapi\64\hsm\{VENDOR}\{VERSION}\libapiname.dll
    For example,
    C:\oracle\extapi\64\hsm\gklm\1.0\gklmp11.dll
    Linux and AIX
    /opt/oracle/extapi/64/hsm/{VENDOR}/{VERSION}/libapiname.so
    For example,
    /opt/oracle/extapi/64/hsm/gklm/1.0/gklmp11.so

    Where,

    • 64 specifies that the supplied binary 64 bits.
    • VENDOR is the name of the vendor supplying the library.
    • VERSION is the version of the library. Preferably, this can be in the format, number.number.number.
    • apiname requires no special format. However, the apiname must be prefixed with the word lib, as illustrated in the syntax.
  4. Log in to the IBM Security Guardium Key Lifecycle Manager server. Run the following REST service to set the password for the client that you created in step 1.f.
    PUT/SKLM/rest/v1/deviceTypeAttributes
    {
     "deviceType": "CLIENT_NAME",
     "attributes": "deviceTypePKCS11PWD PASSWORD"
    }
    Where,
    • CLIENT_NAME is the client name that you specified when you imported the client certificate in step 1.f.
    • PASSWORD is the password that you want to set for this client.
    PUT/SKLM/rest/v1/deviceTypeAttributes
    {
     "deviceType": "ORACLE",
     "attributes": "deviceTypePKCS11PWD GKLM@oracle123"
    }
  5. Log in to the Oracle system and open a command line. Open the keystore.
    To open the keystore, use the ADMINISTER KEY MANAGEMENT statement with the SET KEYSTORE OPEN clause.
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "PASSWORD";
    
    For example,
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "GKLM@oracle123";
    

    Where,

    PASSWORD is the password that you set in step 4.

  6. Set the TDE master encryption key.
    Note: Ensure that the database is open in READ WRITE mode.
    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "PASSWORD";
    For example,
    ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "GKLM@oracle123";

    Where,

    PASSWORD is the password that you set in step 4.

  7. Verify whether Oracle TDE is configured.

    Run the following query:

    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    V$ENCRYPTION_WALLET displays the status information of the wallet and the wallet location for Oracle TDE.

    If Oracle TDE is successfully configured, the STATUS value shows as OPEN.