After you configure IBM® Security Guardium® Key Lifecycle Manager as an
external security module for Oracle TDE on
a Multi-Master or replication setup, enable auto-login for the Oracle Wallet.
About this task
In a Multi-Master or replication setup, Oracle TDE first connects to the primary master
server for the TDE master key. If the master server is unavailable, Oracle TDE connects to the next available master or
clone server. When Oracle TDE switches
to another master or clone server, the Oracle Wallet closes because of the database restart. To get
the TDE master key, the Oracle Wallet must be open. To avoid the need to open the wallet each time
you restart the database, configure auto-login.
Procedure
- Create the directory for every database and permit the oracle user to access this
directory.
mkdir -p SOFTWARE_WALLET_LOCATION
chown -R oracle:oinstall SOFTWARE_WALLET_LOCATION
- Start new
sql
session and reset WALLET_ROOT
parameter
in spfile
.
sqlplus / as sysdba
ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;
Restart the database.
SHUTDOWN IMMEDIATE;
STARTUP;
- Reset
TDE_CONFIGURATION
parameter.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=spfile;
Note: In Oracle 19c, keystore is created by default in the location set in
WALLET_ROOT
environment variable in the
pfile or
spfile file.
Restart the database.
SHUTDOWN IMMEDIATE;
STARTUP;
- Create the software keystore at the location provided in the
spfile
file.
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<software_keystore_password>";
- Open the software keystore.
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
- Add the secret to the software keystore. This secret is the hardware security module's
password and the client is
HSM_PASSWORD
. HSM_PASSWORD
is an oracle
defined client name that represents the HSM password as a secret in the software keystore.
ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
- Enable auto-login.
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
- Reset
TDE_CONFIGURATION
parameter.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile;
Restart the database.
SHUTDOWN IMMEDIATE;
STARTUP;
- Check the Oracle Wallet status.
SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;
Output:
WRL_TYPE |
WRL_PARAMETER |
WALLET_TYPE |
STATUS |
FILE |
|
AUTOLOGIN |
OPEN_NO_MASTER_KEY |
HSM |
|
HSM |
OPEN |
- Run the following commands to configure the heartbeat functionality that monitors the
connection to IBM Security Guardium Key Lifecycle Manager servers
periodically:
ALTER SYSTEM SET "_heartbeat_config"=AUTOCONNECT SCOPE=SPFILE;
ALTER SYSTEM SET EVENT='28420 trace name context forever, level 10:28421 trace name context forever, level 3' COMMENT='HSM heartbeat timeout and reconnect attempt' SCOPE=SPFILE;
The
following events are set:
Event 28420
: The number of HSM heartbeats that can fail before the wallet is
closed. The HSM heartbeat fires every 3 seconds which means that a very short network outage can
lead to wallet closure.
Event 28421
: It causes the HSM heartbeat to attempt to reconnect with the HSM
once the wallet has been closed, and if successful, reopen the wallet.
- Access the data from column encrypted table or tablespace encrypted tables.
connect ORACLE_DATABASE_USER/ORACLE_DATABASE_USER_PASSWORD;
SELECT * FROM EMPLOYEES;
SELECT * FROM CUSTOMERS;