Enabling auto-login for Oracle Wallet

After you configure IBM® Security Guardium® Key Lifecycle Manager as an external security module for Oracle TDE on a Multi-Master or replication setup, enable auto-login for the Oracle Wallet.

About this task

In a Multi-Master or replication setup, Oracle TDE first connects to the primary master server for the TDE master key. If the master server is unavailable, Oracle TDE connects to the next available master or clone server.

When Oracle TDE switches to another master or clone server, the Oracle Wallet closes because of the database restart. To get the TDE master key, the Oracle Wallet must be open. To avoid the need to open the wallet each time you restart the database, configure auto-login.

Procedure

  1. Create the directory for every database and permit the oracle user to access this directory.
    mkdir -p SOFTWARE_WALLET_LOCATION
    chown -R oracle:oinstall SOFTWARE_WALLET_LOCATION
  2. Start new sql session and reset WALLET_ROOT parameter in spfile.
    sqlplus / as sysdba
    ALTER SYSTEM SET WALLET_ROOT="<software_wallet_location>" scope=spfile;
    Restart the database.
    SHUTDOWN IMMEDIATE;
    STARTUP;
  3. Reset TDE_CONFIGURATION parameter.
    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=spfile;
    Note: In Oracle 19c, keystore is created by default in the location set in WALLET_ROOT environment variable in the pfile or spfile file.
    Restart the database.
    SHUTDOWN IMMEDIATE;
    STARTUP;
  4. Create the software keystore at the location provided in the spfile file.
    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<software_keystore_password>";
  5. Open the software keystore.
    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<software_keystore_password>";
  6. Add the secret to the software keystore. This secret is the hardware security module's password and the client is HSM_PASSWORD. HSM_PASSWORD is an oracle defined client name that represents the HSM password as a secret in the software keystore.
    ADMINISTER KEY MANAGEMENT ADD SECRET '<cm_user:cm_user_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY "<software_keystore_password>" WITH BACKUP;
  7. Enable auto-login.
    ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY "<software_keystore_password>";
  8. Reset TDE_CONFIGURATION parameter.
    ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" scope=spfile;
    Restart the database.
    SHUTDOWN IMMEDIATE;
    STARTUP;
  9. Check the Oracle Wallet status.
    SELECT WRL_TYPE, WRL_PARAMETER, WALLET_TYPE, STATUS FROM V$ENCRYPTION_WALLET;

    Output:

    WRL_TYPE WRL_PARAMETER WALLET_TYPE STATUS
    FILE   AUTOLOGIN OPEN_NO_MASTER_KEY
    HSM   HSM OPEN
  10. Run the following commands to configure the heartbeat functionality that monitors the connection to IBM Security Guardium Key Lifecycle Manager servers periodically:
    ALTER SYSTEM SET "_heartbeat_config"=AUTOCONNECT SCOPE=SPFILE;
    ALTER SYSTEM SET EVENT='28420 trace name context forever, level 10:28421 trace name context forever, level 3' COMMENT='HSM heartbeat timeout and reconnect attempt' SCOPE=SPFILE;
    The following events are set:
    • Event 28420: The number of HSM heartbeats that can fail before the wallet is closed. The HSM heartbeat fires every 3 seconds which means that a very short network outage can lead to wallet closure.
    • Event 28421: It causes the HSM heartbeat to attempt to reconnect with the HSM once the wallet has been closed, and if successful, reopen the wallet.
  11. Access the data from column encrypted table or tablespace encrypted tables.
    connect ORACLE_DATABASE_USER/ORACLE_DATABASE_USER_PASSWORD;
    SELECT * FROM EMPLOYEES;
    SELECT * FROM CUSTOMERS;