How To Create a TDE Auto_Login Wallet For A Database With Oracle Key Vault OKV TDE Direct Connection / Online Master Key

This post assumes the existence of an Oracle Key Vault server with an endpoint enrolled. The variables ORACLE_SID, ORACLE_HOME, and OKV_HOME must be set in the oracle processes environment. In the case of a RAC Database, these variables must be set in srvctl environment as well.

The okvclient.jar is extracted with a password

Steps for a 11g database:

1. Create a directory to store the auto_login wallet and add a reference in sqlnet.ora to both HSM and wallet:

$ mkdir /home/oracle/wallet_okv

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY =/home/oracle/wallet_okv)))

2. Create the auto_login wallet:

$ cd /home/oracle/wallet_okv

[oracle@seclincloud wallet_okv]$ orapki wallet create -wallet . -auto_login
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:

3. Add an ORACLE.TDE.HSM.AUTOLOGIN entry to store HSM password:

[oracle@seclincloud wallet_okv]$ mkstore -wrl . -createEntry ORACLE.TDE.HSM.AUTOLOGIN sharedsecret
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

4. Move the ewallet.p12 out of the way (only leaving cwallet.sso):

$ mv ewallet.p12 ewallet.p12.BAK

5. Close/Open the HSM:

SQL> alter system set encryption wallet close identified by "[hsm_password]";

System altered.

SQL> alter system set encryption wallet open identified by "[hsm_password]";

System altered

This last step should enter the HSM password to the secret store entry and from now on the HSM will open automatically using the credentials stored in the local auto-login wallet.

6. Restart the database and check if the wallet is automatically open.

Steps for a 12c database:

1. Edit the sqlnet.ora and point the wallet location to the OKV wallet:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

2. Open the wallet, create a master key and close the wallet:

SQL> administer key management set keystore open identified by oracle_123;

keystore altered.

SQL> administer key management set encryption key identified by oracle_123;

keystore altered.

SQL> administer key management set keystore close identified by oracle_123;

keystore altered.

3. Create a directory to store the cwallet.sso file:

# mkdir /home/oracle/wallet_okv

4. And create a software wallet in this directory:

SQL> administer key management create keystore '/home/oracle/wallet_okv' identified by oracle_123;

keystore altered.

5. Edit sqlnet.ora and point the wallet location to the new directory:

ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/home/oracle/wallet_okv)))

6. Check if the wallet location is pointing to the new directory. In case the wallet location is not pointing to the new directory a database restart is required.

7. Open the keystore and add the password for HSM wallet:

SQL> administer key management set keystore open identified by oracle_123;

keystore altered.

SQL> administer key management add secret 'oracle_123' for client 'HSM_PASSWORD' identified by oracle_123 with backup;

keystore altered.

You can verify that HSM_PASSWORD is added to the wallet successfully by executing:

$ mkstore -wrl [wallet location] -list

8. Close the keystore and create the auto_login file:

SQL> administer key management set keystore close identified by oracle_123;

keystore altered.

SQL> administer key management create auto_login keystore from keystore '/home/oracle/wallet_okv' identified by oracle_123;

keystore altered.

9. Edit sqlnet.ora and point wallet_location to OKV:

ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=HSM)(METHOD_DATA=
(DIRECTORY=/home/oracle/wallet_okv)))

10. Restart the database and check the wallet status.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- ------------------------------ ------------------------------ -------------------- --------- --------- ----------
FILE /home/oracle/wallet_okv/ OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNDEFINED 0
HSM                     OPEN    HSM        SINGLE UNDEFINED  0

The okvclient.jar is extracted without a password

Steps for a 11g database:

1. Extract the okvclient.jar without a password:

[oracle@seclincloud kit]$ java -jar okvclient_12.1.0.5.jar -d /home/oracle/wallet_okv

Detected JAVA_HOME: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre

Enter new Key Vault endpoint password (<enter> for auto-login):
Oracle Key Vault endpoint software installed successfully.
[oracle@seclincloud kit]$</enter>

2. Create a directory to store the auto_login wallet and add a reference in sqlnet.ora to both HSM and wallet:

$ mkdir /home/oracle/wallet_okv

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY =/home/oracle/wallet_okv)))

3. Create the auto_login wallet:

[oracle@seclincloud wallet_okv]$ orapki wallet create -wallet . -auto_login
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:

4. Add an ORACLE.TDE.HSM.AUTOLOGIN entry to store HSM password:

[oracle@seclincloud wallet_okv]$ mkstore -wrl . -createEntry ORACLE.TDE.HSM.AUTOLOGIN "null"
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

5. Move the ewallet.p12 out of the way (only leaving cwallet.sso)

$ mv ewallet.p12 ewallet.p12.BAK

6. Close/Open the HSM:

SQL> alter system set encryption wallet close identified by "null";

System altered.

SQL> alter system set encryption wallet open identified by "null";

System altered.

7. This last step should enter the HSM password to the secret store entry and from now on the HSM will open automatically using the credentials stored in the local auto-login wallet. Restart the database and check if the wallet is automatically open:

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS
-------------------- ---------------------------------------- ------------------
file /home/oracle/wallet_okv OPEN_NO_MASTER_KEY
HSM                                OPEN

Steps for a 12c database:

1. Edit the sqlnet.ora and point the wallet location to the OKV wallet:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

2. Create a master key and close the wallet:

SQL> administer key management set encryption key identified by "null";

keystore altered.

SQL> SQL> administer key management set keystore close identified by "null";

keystore altered.

SQL>

3. Create a directory to store cwallet.sso file:

[oracle@seclincloud ~]$ mkdir wallet_okv_12c
[oracle@seclincloud ~]$

4. Create a software wallet:

SQL> administer key management create keystore '/home/oracle/wallet_okv_12c' identified by oracle_123;

keystore altered.

5. Edit sqlnet.ora and point the wallet location to the new directory:

ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/home/oracle/wallet_okv_12c)))

6. Open the keystore and add the password for HSM wallet:

SQL> administer key management set keystore open identified by "oracle_123";

keystore altered.

SQL> administer key management add secret 'NULL' for client 'HSM_PASSWORD' identified by oracle_123 with backup;

keystore altered.

You can verify that HSM_PASSWORD is added to the wallet successfully by executing:

$ mkstore -wrl <wallet location=""> -list</wallet>

7. Close the keystore and create the auto_login file:

SQL> administer key management set keystore close identified by oracle_123;

keystore altered.

SQL> administer key management create auto_login keystore from keystore '/home/oracle/wallet_okv_12c' identified by oracle_123;

keystore altered.

8. Edit sqlnet.ora and point wallet_location to OKV:

ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=HSM)(METHOD_DATA=
(DIRECTORY=/home/oracle/wallet_okv)))

9. Restart the database and check if the wallet is automatically open:

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- ---------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /home/oracle/wallet_okv_12c/ OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNDEFINED 0
HSM                                             OPEN                             HSM            SINGLE UNDEFINED 0

How To Create a TDE Auto_Login Wallet For A Database With Oracle Key Vault OKV TDE Direct Connection / Online Master Key

The okvclient.jar is extracted with a password

Steps for a 11g database:

Steps for a 12c database:

The okvclient.jar is extracted without a password

Steps for a 11g database:

Steps for a 12c database:

Latest Posts