How to migrate TDE local wallet to Oracle Key Vault (OKV) server

This post provides steps to migrate TDE local wallet to Oracle Key Vault Server. Assuming that, TDE local wallet is created and wallet location is set in sqlnet.ora and method is set to FILE already.

- Verify OKV_HOME, ORACLE_SID, ORACLE_BASE, ORACLE_HOME are set. - OKV_HOME should be set to the location where the okvclient.jar is installed.

Please follow the below steps to migrate to OKV.

1. Login to sqlplus and run the below queries.

SQL> administer key management add secret '[endpoint password]' for client 'HSM_PASSWORD' identified by [wallet password] with backup;
SQL> administer key management create auto_login keystore from keystore [wallet_location] identified by [wallet password];

For RAC environment

- Create a virtual wallet and give access to endpoint group and endpoints. - As Key Vault administrator create an endpoint group like “rac12nc_new” and Add the RAC endpoints to the endpoint group. - Still logged as Key Vault administrator create a wallet like “rac12nc_wallet_new” and grant the Read, Write, Manage Wallet privileges to the endpoint group rac12nc_new for this wallet and choose default wallet as the same for all endpoints.

For Stand alone environment

As Key Vault administrator create an endpoint “new_endpoint”. Still logged as Key Vault administrator create a wallet like “okv_wallet” and grant the Read, Write, Manage Wallet privileges to the endpoint group new_endpoint for this wallet and make the same wallet as default to the endpoint.

3. Upload wallet to OKV.

./okvutil upload -l [wallet_location] -g okv_wallet -t wallet -v 2

4. Edit the sqlnet.ora file and change method to HSM and Restart the database.

5. Login to sqlplus and run:

SQL> administer key management set keystore close;

6. Rename cwallet.sso to cwallet.sso_orig under [wallet_location].

7. Migrate the new wallet to OKV. Log in to SQL.

SQL> administer key management set Keystore open identified by [endpoint password];
SQL> administer key management set encryption key identified by [endpoint password] migrate using [wallet password] with backup;

8. Rename cwallet.sso_orig to cwallet.sso under [wallet_location].

9. Restart database and verify the below by logging into sqlplus.

SQL> administer key management set keystore close;  // As it is auto login no need to use `identify by password¿.
SQL> select * from v$encryption_wallet; // Now observe that both HSM and FILE are open.

In RAC environment - Copy the wallet to other nodes, and also on each RAC node change the sqlnet.ora to point to HSM and the wallet location.