You can manage security objects using Oracle Key Vault in a variety of use case scenarios: uploading and downloading Oracle wallets, JKS keystores, JCEKS keystores, and credential files; and using TDE direct connection and TDE-configured Oracle databases.
Topics:
Using a TDE-Configured Oracle Database in an Oracle RAC Environment
Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
Using a TDE-Configured Oracle Database in an Oracle Active Data Guard Environment
You can use the okvutil upload and okvutil download commands to upload and download Oracle wallets to and from the Oracle Key Vault server.
Topic:
As an endpoint administrator, you can upload Oracle wallet files to Oracle Key Vault for long-term retention, recovery, and sharing by using the Key Vault endpoint software, the okvutil utility.
When you upload an Oracle wallet, the Oracle Key Vault endpoint software can read each item within the wallet. It uploads the wallet contents as individual items. When downloading into a wallet on an endpoint, you can download the same set of items to recreate the original wallet or a modified set of items to create a new wallet. You can upload and download both password-based wallets and auto-login wallets. The wallet contents can be downloaded later into a new wallet of either type. For example, an uploaded password-protected wallet can be downloaded as an auto-login wallet, or an uploaded auto-login wallet can be downloaded as a password-protected wallet.
You can also use Oracle Key Vault to construct a new virtual wallet from the contents of previously uploaded Oracle wallets. For example, suppose that you previously uploaded an Oracle wallet that contains five symmetric keys and three opaque objects. You can create a new virtual wallet consisting of only three of the original five symmetric keys and one of the three original opaque objects. This virtual wallet can be downloaded like the original wallet to provide the endpoint with access to only a subset of the keys. This process does not modify the original wallet.
The upload process, or the okvutil upload command, uploads everything in the Oracle wallet, which typically includes Oracle Advanced Security TDE master keys, wallet metadata, as well as keys or secrets that you have explicitly added.
An Oracle wallet contains security objects such as the current TDE master key, all historical TDE master keys, SSL or TLS certificates, and the metadata that is associated with these objects (stored in Oracle Key Vault as opaque objects). All of these objects, along with their metadata, are uploaded in Oracle Key Vault so that Key Vault can reconstruct the Oracle wallet during the download process.
Ensure that the server containing the Oracle wallet has been enrolled and provisioned as a Key Vault endpoint.
See "Adding, Deleting, or Reenrolling Endpoints" for more information.
Ensure that the endpoint has access to the virtual wallet that you want to use.
The endpoint must have Read, Modify, and Manage Wallet access to the virtual wallet in Oracle Key Vault.
See "Granting User and Endpoint Access to Virtual Wallets" for more information.
Run the okvutil upload command to upload the wallet.
For example:
okvutil upload -l "/etc/oracle/wallets" -t wallet -g "HRWallet" Enter wallet password (<enter> for auto-login): password Enter Oracle Key Vault endpoint password: Key_Vault_endpoint_password Upload succeeeded
In this example:
-l specifies the directory location of the wallet that you are uploading.
-t indicates the type, in this case, an Oracle wallet.
-g specifies the Key Vault virtual wallet that was configured in Step 2, so that this wallet can be part of that virtual wallet.
Password prompts: See "How Password Prompts for okvutil Work".
At this stage, the virtual wallet in Oracle Key Vault is ready to be shared with other endpoints or ready to be downloaded. Otherwise, go to "Downloading Oracle Wallets".
See "okvutil upload Command" for more information about okvutil upload.
At this point, the upload is complete. You are now ready to share or download the wallet back to the same system or for use elsewhere in the system.
See Also:
"okvutil list Command"You can use the okvutil download command to download an Oracle wallet from the Oracle Key Vault server to an endpoint.
Ensure that the endpoint has Read access on the virtual wallet that you want to download.
Run the okvutil download command to download the wallet.
For example:
okvutil download -l "/etc/oracle/wallets/orcl/ -t WALLET -g HRWallet Enter new wallet password(<enter> for auto-login): Oracle_wallet_password Confirm new wallet password: Oracle_wallet_password Enter Oracle Key Vault endpoint password: Key_Vault_endpoint_password
In this example:
-l is the location of the wallet to be created.
-t indicates the type, in this case, an Oracle wallet.
-g specifies the Oracle Key Vault virtual wallet that was configured in Step 1.
Password prompts: See "How Password Prompts for okvutil Work".
If the wallet already exists and you did not use the -o parameter to overwrite the existing wallet, then the following actions take place:
The existing wallet is renamed to a backup name of the format ewallet.p12.current_timestamp where the timestamp is number of seconds since epoch.
The newly downloaded wallet is given the name ewallet.p12.
See "okvutil download Command" for more information about okvutil download.
If the Oracle wallet that you downloaded from Oracle Key Vault is to be used as a TDE wallet, then close the existing wallet before downloading and, if it is password-protected, then reopen it afterward. (Auto-login wallets are automatically opened the next time that they are accessed.)
Closing and then reopening the wallet loads the wallet contents into the TDE database.
For Oracle Database 11g Release 2:
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "Oracle_wallet_password"; ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Oracle_wallet_password";
For Oracle Database 12c:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Oracle_wallet_password"; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Oracle_wallet_password";
If you are operating in a shared server configuration such as Oracle RAC, then restart the database.
See Also:
Oracle Database Advanced Security Guide for information about closing and opening keystores in Oracle Database Release 12c
Oracle provides recommendations for when you upload and download Oracle wallets.
If there is a change to the content of the original wallet, such as a key rotation or a rekey operation, then upload the wallet again to Oracle Key Vault so that Key Vault has the latest copy of the wallet.
The okvutil upload and download commands provide an overwrite (-o) option. Use care if you plan to specify this option because it overwrites data in the virtual wallet that conflicts with the data to be uploaded. Before you use the -o option, you should create a local backup of the wallet file.
Do not try to upload the same physical Oracle wallet to more than one virtual wallet on the Oracle Key Vault server. If you want to share an Oracle wallet with multiple endpoints, then create an endpoint group. See "Managing Endpoint Groups" for more information.
You can use the okvutil upload and okvutil download commands to upload and download JKS and JCEKS keystores.
Topics:
You can upload both JKS and JCEKS keystores to Oracle Key Vault for long-term retention, recovery, and sharing, and when you need them, download them to an endpoint.
Similar to wallets, when you upload a JKS or JCEKS keystore, Oracle Key Vault can read each item within the keystore. It uploads the keystore contents as individual items.
You can use the okvutil upload command to upload a Java keystore (JKS) or Java Cryptography Extension keystore (JCEKS) to the Oracle Key Vault server.
Ensure that the server containing the Java keystore has been enrolled and provisioned as a Key Vault endpoint.
See "Adding, Deleting, or Reenrolling Endpoints" for more information.
Ensure that access control has been configured for the endpoint.
If you are uploading the keystore to a virtual wallet, then ensure that the endpoint has the Read, Modify, and Manage Wallet access to this wallet.
See "Granting User and Endpoint Access to Virtual Wallets" for more information.
Run the okvutil upload command to upload the keystore.
The following examples show how to upload the keystore to a virtual wallet:
This example shows how to upload a JKS keystore:
okvutil upload -l "/etc/oracle/fin_jks.jks" -t JKS -g "FinanceGrp" Enter source Java keystore password: Java_keystore_password Enter Oracle Key Vault endpoint password: Key_Vault_endpoint_password Upload succeeded
In this example:
-l is the location of the Java keystore that is being uploaded.
-t is the type of JKS or JCEKS keystore. Ensure that you upload the correct type of Java keystore when you upload and later on, when you download.
-g is the virtual wallet in Oracle Key Vault where the Java keystore contents will be uploaded.
Password prompts: See "How Password Prompts for okvutil Work".
This example shows how to upload a JCEKS keystore:
okvutil upload -l "/etc/oracle/hr_jceks.jceks" -t JCEKS -g "HRGrp" Enter source Java keystore password: password Enter Oracle Key Vault endpoint password: password Upload succeeded
See "okvutil upload Command" for more information about okvutil upload.
At this point, the upload is complete. You are now ready to download the Java keystore back to the same system or for use elsewhere in the system.
You can use the okvutil download command to download an uploaded JKS or JCEKS keystore,
Ensure that the endpoint has the Read access on the virtual wallet that you want to download.
As an endpoint administrator, from the command line, run the okvutil download command to download the Java keystore.
For example:
okvutil download -l "/etc/oracle/new_java_files/hr_jceks.jceks" -t JCEKS Enter new Java keystore password: password Confirm new Java keystore password: password Enter Oracle Key Vault endpoint password: Key_Vault_endpoint_password
In this example:
-l is the directory to which you want to download the uploaded Java keystore.
-t is the type of JKS or JCEKS keystore. Ensure that you download the correct type of Java keystore.
Password prompts: See "How Password Prompts for okvutil Work".
See "okvutil download Command" for more information about okvutil download.
Oracle provides recommendations for when you upload and download JKS and JCEKS keystores.
If there is a change to the content of the original JKS or JCEKS keystore, then upload the keystore again to Oracle Key Vault so that Key Vault has the latest copy of the keystore.
The okvutil upload and download commands provide an overwrite (-o) option. Use care if you plan to specify this option because it overwrites the file. You may want to create backups of the keystores before downloading them.
Do not try to upload the same physical JKS or JCEKS keystore to more than one virtual wallet on the Oracle Key Vault server. If you want to share a Java keystore with multiple endpoints, then create an endpoint group. See "Managing Endpoint Groups" for more information.
You can use the okvutil upload and okvutil download commands to upload and download credential files.
Topics:
You can upload credential files by storing them as opaque objects.
Examples of opaque objects are as follows:
Files that contain X.509 certificates
Kerberos keytabs
Files containing passwords
Files containing SSH keys
Uploading these credential files provides a central, secure location for long-term retention. After you have uploaded a credential file, you can retrieve or recover (download) it in the same server location or share it with other trusted server locations. Oracle Key Vault supports credential files up to 128 KB in size.
The credential file can be located anywhere in your server infrastructure (which includes database servers and application servers) that is accessible by an Oracle Key Vault endpoint. The upload process does not alter the credential file. Oracle Key Vault uploads the credential file as an opaque object and does not parse the contents of the file.
You can use the okvutil upload command to upload a credential file.
Ensure that the server that contains the credential file has been enrolled and provisioned as a Key Vault endpoint.
See "Adding, Deleting, or Reenrolling Endpoints" for more information.
Ensure that access control has been configured for the endpoint.
If you are uploading the credential file to a virtual wallet, then ensure that the endpoint has Read, Modify, and Manage Wallet access to the wallet.
See "Granting User and Endpoint Access to Virtual Wallets" for more information.
Run the okvutil upload command.
For example:
okvutil upload -l "/etc/oracle/app/creds/hr.keytab" -t kerberos -g HRWallet -d "Kerberos keytab file for HR group, 06_11_14"
Enter Oracle Key Vault endpoint password: Key_Vault_endpoint_password
In this example:
-l is the directory path to the hr.keytab credential file that is being uploaded. Enclose the directory location in double quotation marks.
-t specifies the type of credential file, which in this example is a Kerberos keytab file. In addition to KERBEROS, other types that you can specify are as follows:
SSH for an SSH key file
OTHER for other files that store secrets, such as uploaded or downloaded files
-g adds the credential file to the HRWallet group, which already exists. This parameter enables you to upload the credential to a wallet that is specifically for the HR application users' needs, rather than to the default virtual wallet. In this example, HRWallet is the Key Vault virtual wallet to which access control was configured in Step 2.
-d is an optional description. As a best practice, include a brief description of what the credential file is used for and the date you performed the upload. This information helps for future reference and tracking of the credential file. You can modify this description later on in the Oracle Key Vault management console if necessary.
Password prompts: See "How Password Prompts for okvutil Work".
The following output should appear:
Upload succeeded
See "okvutil upload Command" for more information about okvutil upload.
At this point, the upload is complete. You are now ready to download the credential file back to the same system or for use elsewhere in the system.
You can use the okvutil download command to download a credential file.
Find the unique ID of the credential file that you must download, by using one of the following methods:
Oracle Key Vault management console: Log in as a user who has been granted the Key Administrator role or a user who has the necessary access to the virtual wallet. (See "Logging In to the Oracle Key Vault Management Console.") In the Oracle Key Vault management console, from the Keys & Wallets tab, select All Items to find the uploaded files. Note the unique ID of the uploaded file that you want to download. Credential files are listed as opaque objects.
okvutil list command: Run the okvutil list command from an endpoint that has access to the credential file or a virtual wallet that contains the credential file. Locate the unique ID of the credential file that you must download based on the description that you provided when you uploaded the file.
From the command line, run the okvutil download command to download the uploaded credential file.
For example:
okvutil download -l "/etc/oracle/app/newcreds/hr.keytab" -t kerberos -i 6ba7b810-9dad-11d1-80b4-00c04fd430c8
Enter Oracle Key Vault endpoint password: Key_Vault_endpoint_password
In this example:
-l is the directory to which you want to download the uploaded credential.
-t specifies the type of credential file, which in this example is a Kerberos keytab file. In addition to KERBEROS, other types that you can specify are as follows:
SSH for an SSH key file
OTHER for other files that store secrets, such as uploaded or downloaded files
-i is the unique ID of the credential file.
Output similar to the following appears:
Download succeeded
See "okvutil download Command" for more information about okvutil download.
Oracle provides recommendations for when you upload and download credential files.
After you complete the upload, upload credential file again the next time it is changed. Otherwise, the uploaded (and subsequent downloaded version) file will be outdated. Periodically, you should compare the last modification date of the credential file with the timestamp of the uploaded version.
The okvutil upload and download commands provide an overwrite (-o) option. Use care if you plan to specify this option, because it overwrites the uploaded credential file. You may want to create backups of the credential files before beginning the upload and download processes.
You can share one credential file among multiple server endpoints. Add the opaque object to a virtual wallet and then ensure that all of the endpoints have access to that virtual wallet. Optionally, define an endpoint group and then make all the server endpoints members of that group. Upload the credential file that you would like to share using this common wallet into Oracle Key Vault as a group, using the -g option of the okvutil upload command. Define a wallet and attach it to the endpoint group. All the members of the group will have access to that wallet.
You can configure Transparent Data Encryption (TDE) to perform a direct connection to an endpoint to centrally manage TDE master keys.
Topics:
Other Oracle Database Features That Oracle Key Vault Supports
Configuring a Connection Between Oracle Key Vault and a New TDE-Enabled Database
For Oracle Database 11g Release 2 (11.2) and later, you can use a TDE direct connection to centrally manage Transparent Data Encryption (TDE) master keys over a network connection as an alternative to using local Oracle wallet files.
The connection configuration entails using a PKCS#11 library to connect to Oracle Key Vault. After you perform the configuration, all future TDE master keys will be stored and managed in Oracle Key Vault. This section explains two scenarios that you can use:
If the database does not yet have TDE wallets, then follow the procedure under "Configuring a Connection Between Oracle Key Vault and a New TDE-Enabled Database".
If the database has already been configured for TDE, then you must migrate the existing wallet file. See "Migrating Existing TDE Wallets to Oracle Key Vault".
TDE key management operates with Oracle Key Vault in the same way that it operates with hardware security modules (HSMs). You must open the wallet before encryption and decryption. After you close the wallet, encrypted data in tables and tablespace is unavailable to you. You should rotate the TDE master encryption key regularly to remain in compliance with the applicable regulations.
Oracle Key Vault supports the SQL statements that were used to administer earlier TDE releases, specifically the use of the ALTER SYSTEM and ADMINISTER KEY MANAGEMENT SQL statements.
You can deploy TDE in multiple topologies with other database features that move or use clustered deployments.
Data movement and replication are major challenges for Oracle Advanced Security TDE because it must keep the master encryption key synchronized at both endpoints. To help with these challenges, Oracle Key Vault supports common Oracle Database features.
To move data, Oracle Key Vault supports:
Oracle Recovery Manager (RMAN) backup and recovery operations
Oracle Data Pump
Transportable tablespaces (Oracle Database 12c and later)
For clustered deployments, Oracle Key Vault supports:
Oracle Active Data Guard
Oracle Real Application Clusters (Oracle RAC)
Oracle GoldenGate
You can configure a connection between Oracle Key Vault and a database that has not yet been configured for Transparent Data Encryption.
Ensure that the ORACLE_BASE environment variable is set before you start the oracle process manually.
Alternatively, create a soft link from the $ORACLE_BASE/okv/$ORACLE_SID/okvclient.ora file to the key_vault_endpoint_installation_dir/conf/okvclient.ora file. In an Oracle Real Application Clusters environment, perform this step on all database instances.
Ensure that the COMPATIBILITY initialization parameter is set to 11.2.0.0 or later.
See "Endpoint Database Requirements" for more information.
Enroll and provision the endpoint for the TDE-enabled database that contains the TDE data.
When you initially enroll the endpoint, you must use Oracle Database for the endpoint type, for integration with TDE. See Step 4 in "Adding, Deleting, or Reenrolling Endpoints". See "Adding, Deleting, or Reenrolling Endpoints" for more information.
Ensure that the endpoint has access to the virtual wallet that you want to use.
The endpoint must have the Read, Modify, and Manage Wallet access.
See "Granting User and Endpoint Access to Virtual Wallets" for more information.
Configure the sqlnet.ora file on this database to point to Oracle Key Vault, as follows:
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
Transparent Data Encryption uses HSM as the parameter value for all external key management systems, including Oracle Key Vault.
By default, the sqlnet.ora file is located in the ORACLE_HOME/network/admin directory or in the location set by the TNS_ADMIN environment variable. Endpoints use PKCS#11 library support to manage TDE master encryption keys. So, the configuration settings and the administrative commands are similar to those used for an HSM.
Important: At this stage, Oracle Key Vault can use TDE and all the TDE-related SQL statements are available. For all TDE commands and statements, use the Key Vault endpoint password that was specified during the endpoint enrollment process, under "Task 2: Install the Oracle Key Vault Client Software on the Endpoint".
Reconnect to the database if you are in SQL*Plus.
The changes will appear after you log out of the current SQL*Plus session and then reconnect again.
Query the V$ENCRYPTION_WALLET dynamic view to ensure that the METHOD_DATA setting in the sqlnet.ora file changed.
The output of the query should now show HSM.
SELECT * FROM V$ENCRYPTION_WALLET;
Configure TDE to integrate with Key Vault so that Key Vault can directly manage the TDE master keys.
In brief, you must do the following:
Run the root.sh script as the root user to copy the liborapkcs.so file (located in the lib directory) to the /opt/oracle/extapi/64/hsm/oracle/1.0.0 directory.
See Step 6 under "Task 2: Install the Oracle Key Vault Client Software on the Endpoint" for more information.
For password-protected wallets on the database, open the wallet. (Auto-login wallets are automatically opened.)
For Oracle Database 11g Release 2, as a user who has been granted the ALTER SYSTEM system privilege:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
For Oracle Database 12c, as a user who has been granted the SYSKM administrative privilege:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
Set the master encryption key.
For Oracle Database 11g Release 2:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Key_Vault_endpoint_password";
For Oracle Database 12c:
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "Key_Vault_endpoint_password";
At this stage the configuration is complete. If you have configured the sqlnet.ora file correctly and completed the other configuration required for TDE, then when you set the encryption key (using either ALTER SYSTEM SET ENCRYPTION KEY or ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY), a TDE master key is created in Oracle Key Vault. You can encrypt tables or create encrypted tablespaces in the database.
See Also:
Oracle Database Advanced Security Guide for detailed information about encrypting tables and tablespacesYou can migrate an existing TDE wallet to Oracle Key Vault, and if necessary, restore the database contents that were previously encrypted by TDE by using an Oracle wallet.
Topics:
When the TDE wallets already exist, you must modify the sqlnet.ora file to recognize Oracle Key Vault before you can migrate the existing TDE wallets to Key Vault.
Along with the current TDE master key, Oracle wallets maintain historical TDE master keys that are replaced by each rekey operation that rotates the TDE master key. These historical TDE master keys help to restore Oracle Database backups that were previously made using one of the historical TDE master keys. During the TDE migration from an Oracle wallet file to Oracle Key Vault, Key Vault generates new master keys. After this master key generation, Oracle Key Vault maintains all new keys.
Oracle recommends that you upload the Oracle wallet to Key Vault before you perform the migration. This enables you to keep a backup of the wallet with all of the historical key information before you begin the migration. (If any of the previously encrypted data backups must be restored, see "Restoring Database Contents Previously Encrypted by TDE Using an Oracle Wallet"). When the migration is complete, manually delete the old wallet on the client system.
If you are operating in a shared server or an Oracle RAC configuration, then you must restart the database so that the new TDE master key is updated to all the endpoint database nodes in the shared server configuration.
You can use the okvutil upload command to migrate an existing TDE wallet to Oracle Key Vault. It is very important that you close the software wallet and open the HSM wallet before migrating the wallet in the same SQLPLUS session, as outlined in steps 7 and 8 below:
Back up the database that contains the data that you want to migrate.
See Oracle Database Backup and Recovery User's Guide for more information about backing up a database.
Complete the enrollment of the endpoint.
See "Overview of Endpoint Enrollment and Provisioning" for more information about enrolling endpoints.
If you have not done so already, then upload the existing Oracle wallet to Key Vault, by using the okvutil upload command.
This step ensures that Oracle Key Vault has a copy of the wallet that contains all of the historical TDE master keys.
See "okvutil upload Command" for more information about this command.
Configure the Oracle Database sqlnet.ora file for the HSM as follows:
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM)(METHOD_DATA=(DIRECTORY=wallet_location)))
By default, the sqlnet.ora file is located in the ORACLE_HOME/network/admin directory or in the location set by the TNS_ADMIN environment variable.
Reconnect to the database if you are in SQL*Plus.
The changes do not appear until you restart the database session.
Query the V$ENCRYPTION_WALLET dynamic view to ensure that the METHOD_DATA setting in the sqlnet.ora file changed. The output of the query should now show METHOD=HSM.
SELECT * FROM V$ENCRYPTION_WALLET;
If the endpoint is a Release 11gR2 Oracle database, then close the local Oracle wallet and open the HSM wallet.
Close the local Oracle wallet:
If the auto-login wallet is open, execute the following commands:
oracle$ cd <wallet location> oracle$ mv cwallet.sso cwallet.sso.bak sqlplus> alter system set wallet close;
If the password-protected wallet is open, execute the following command:
sqlplus> alter system set wallet close identified by "<wallet password>";
Open the HSM wallet:
sqlplus> alter system set wallet open identified by "<HSM connect string>";
Migrate from TDE wallets to Oracle Key Vault.
For Oracle Database 11g Release 2:
If you entered a password for the wallet while installing the endpoint client software, then execute this command:
sqlplus> alter system set encryption key identified by "<endpoint password>" migrate using "<wallet password>";
If you chose the auto-login option while installing the endpoint client software, then execute this command:
sqlplus> alter system set encryption key identified by "null" migrate using "<wallet password>";
For Oracle Database 12c, as a user who has been granted the SYSKM administrative privilege:
sqlplus> administer key management set encryption key identified by "<endpoint password>" MIGRATE USING "<wallet password>" with backup;
Note:
While thewith backup clause is required for the administer key management command, it is ignored by TDE in Oracle Key Vault.Open the wallet. If the endpoint requires a password to connect to Oracle Key Vault, then enter the password.
For Oracle Database 11g Release 2:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
For Oracle Database 12c:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
After you complete the migration, if you are using an auto-login wallet, then re-enable it by renaming the cwallet.sso.bak file to cwallet.sso.
When an Oracle database endpoint is converted from a local Oracle wallet file to using Oracle Key Vault, there may be a subsequent need to restore backups that were encrypted using a key from this local wallet file.
In this case, you must download the necessary key from Oracle Key Vault to a local wallet file to be used when you decrypt the backup during the restore process. For example, suppose that the Finance_DB database had recently migrated to use a TDE direct connection to Oracle Key Vault after you have uploaded the premigration wallet. If a system failure forces you to restore from a database backup taken before the migration to Oracle Key Vault, you can still restore the contents of the database by using an Oracle wallet downloaded from the Oracle virtual wallet that contains the Finance_DB wallet data that you had uploaded earlier.
To restore previously TDE-encrypted database contents using an Oracle wallet:
Download this Oracle wallet from Oracle Key Vault by using the okvutil download command.
See "okvutil download Command" for more information.
On the endpoint where you downloaded the Oracle wallet, add the following settings to the sqlnet.ora file.
METHOD_DATA=wallet_file_path METHOD=FILE ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=wallet_file_path)))
Put the ENCRYPTION_WALLET_LOCATION setting on one line.
If you created a password-protected wallet in Step 1, then open the wallet using the password you specified.
For Oracle Database 11g Release 2, as a user who has been granted the ALTER SYSTEM system privilege:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet_password";
For Oracle Database 12c, as a user who has been granted the SYSKM administrative privilege:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password";
Opening the wallet enables the server to read the contents of the updated sqlnet.ora file. At this point, the endpoint server has been restored to a state where it now can run with the original version of the wallet.
In a TDE-configured Oracle database, if you upload Oracle wallets in an Oracle Real Application Clusters (Oracle RAC) environment, then the nodes within the cluster must share a virtual wallet.
You can enable the cluster to share the virtual wallet by using either of the following approaches:
Define a virtual wallet as a shared default wallet for all of the nodes in the cluster.
If each node in the cluster has a separate default wallet, then grant each node access to every other node's default wallet to have the same effect. An endpoint group may be used to simplify the process of granting each node access to the default wallets of the other nodes.
The advantage of this approach over the first is that if you had several nodes that already had default wallets and you wanted them to share wallets, then you would not have to reassign their default wallets. This is particularly important because in the first approach, in order to reassign an endpoint's default wallet, you must reenroll the endpoint. An endpoint group can be used to simplify the process of granting each node access to the default virtual wallets of the other nodes.
As with single-instance database environments, after you download a password-protected wallet, you must manually open it. If you have one wallet on the primary node and then download the wallet to the other nodes, you must explicitly open the wallets on each of these nodes.
You can migrate Oracle wallets that contain Oracle GoldenGate shared secrets and TDE master keys to the Oracle Key Vault server.
Topics:
About Uploading Oracle Wallets in an Oracle GoldenGate Environment
Using a TDE Direct Connection in an Oracle GoldenGate Deployment
Migrating TDE Wallets on an Oracle GoldenGate Deployment to Oracle Key Vault
In an environment where Oracle Key Vault is not used and an Oracle TDE-enabled database is configured with an Oracle wallet with Oracle GoldenGate, this database (called the source database) stores an Oracle GoldenGate shared secret in the same Oracle wallet where master keys are stored.
Hence, when you configure the source database as an Oracle Key Vault endpoint, the Oracle GoldenGate shared secret is stored in Oracle Key Vault in the same virtual wallet where the master keys are stored for the TDE-enabled source database.
When you migrate an Oracle wallet that contains an Oracle GoldenGate shared secret and TDE master keys to Oracle Key Vault using the okvutil command-line utility, the default wallet for the TDE-enabled source database now stores the entire Oracle wallet migrated with shared secret and master keys.
In addition, if the configured target database is an Oracle database, then you must ensure that this target database is TDE-enabled so that all the TDE commands can be replicated. Note that the two Oracle TDE-enabled databases, source and target, do not need to have the same master key in the Oracle wallet. If you configure this target database as a new Key Vault endpoint, then you can upload and download wallets to and from Oracle Key Vault as you normally would with any independent Key Vault endpoint. No additional configuration is necessary.
To use a TDE direct connection in an Oracle GoldenGate deployment, you must perform two configuration steps.
Configure a connection between the source database in the GoldenGate deployment and Oracle Key Vault by following the steps in "Configuring a Connection Between Oracle Key Vault and a New TDE-Enabled Database".
Configure the storage of Oracle GoldenGate secrets in the Oracle wallet on the source database.
See Oracle Database Advanced Security Guide for more information.
At this stage, the configuration is complete. If you have configured the sqlnet.ora file correctly and completed the other configuration required for TDE on the source database, then when you set the encryption key (using either ALTER SYSTEM SET ENCRYPTION KEY or ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY), a TDE master key is created in Oracle Key Vault. You can encrypt tables or create encrypted tablespaces in the database. The encrypted data created in the source database continues to be replicated on the target database after this procedure is performed. The other Oracle GoldenGate shared secrets are stored in Oracle Key Vault.
In an Oracle GoldenGate environment with a TDE-configured database, an Oracle wallet contains both the TDE master keys and the Oracle GoldenGate shared secret.
The migration of this Oracle wallet to Oracle Key Vault is similar to the procedure that you follow for "Migrating Existing TDE Wallets to Oracle Key Vault"."
Note that target databases (if they are Oracle TDE-enabled databases) that are used in this Oracle GoldenGate environment can also be configured to use Oracle Key Vault or continue to use Oracle wallet. You should treat these databases as you would any standalone TDE database endpoint. Therefore, you should follow the procedure in "Migrating Existing TDE Wallets to Oracle Key Vault" to migrate this type of wallet.
After you complete this migration, the configuration is complete. If you have configured the sqlnet.ora file correctly and completed the other configuration required for TDE, then when you set the encryption key (using either ALTER SYSTEM SET ENCRYPTION KEY or ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY), a TDE master key is created in Oracle Key Vault. You can continue to create and use encrypted tables or tablespaces in the database. The encrypted data created in the source database continues to be replicated on the target database after this procedure is performed.
You can perform the following activities in an Oracle Active Data Guard environment: upload Oracle wallets to an Oracle Key Vault server, use TDE direct connections, migrate wallets between endpoints, and migrate and check TDE wallets for a logical standby database.
Topics:
About Uploading Oracle Wallets in an Oracle Active Data Guard Environment
Uploading Oracle Wallets in an Oracle Active Data Guard Environment
Performing a TDE Direct Connection in an Oracle Active Data Guard Environment
Migrating Oracle Wallets in an Oracle Active Data Guard Environment
Migrating an Oracle TDE Wallet to Oracle Key Vault for a Logical Standby Database
Checking the Oracle TDE Wallet Migration for a Logical Standby Database
In an Oracle Active Data Guard environment with a TDE-enabled primary and a standby database using an Oracle wallet, you must physically copy the Oracle wallet file from the primary database to the standby after the initial TDE configuration and later, whenever you rekey the master key on the primary database.
Whereas, when using Oracle Key Vault with a TDE-enabled Active Data Guard database, the primary and standby databases must be registered in Oracle Key Vault as endpoints. You must ensure that the endpoints that are registered for both the primary and standby databases have same default virtual wallet in Oracle Key Vault.
This way, the two databases can achieve centralized key and wallet management without the need of a manual copy of the wallet file from the primary database to the standby database.
You can upload an Oracle wallet to an Active Data Guard environment.
Register one endpoint each for the primary and standby databases.
Download the okvclient.jar file for each endpoint on the respective databases.
See "Task 2: Install the Oracle Key Vault Client Software on the Endpoint".
Ensure that the endpoint password is the same as the TDE wallet password if you must perform a migration or a reverse migration.
Ensure that both the primary and standby database endpoints use the same default virtual wallet.
The procedure for performing a TDE direct connection in an Oracle Active Data Guard environment is the same as in a standard Oracle Database environment.
See "About Using a TDE Direct Connection with Oracle Key Vault" for more information.
You can migrate an Oracle wallet in an Oracle Active Data Guard environment.
Use the okvutil upload command to upload the contents of the local Oracle wallet that is on the primary database to Oracle Key Vault.
Perform the migration steps as described in "Migrating Existing TDE Wallets to Oracle Key Vault".
Close the existing Oracle wallet on the standby database.
For Oracle Database 11g Release 2, as a user who has been granted the ALTER SYSTEM system privilege:
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "Key_Vault_endpoint_password";
For Oracle Database 12c, as a user who has been granted the SYSKM administrative privilege:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Key_Vault_endpoint_password";
Shut down the standby database.
For example:
SHUTDOWN IMMEDIATE
Restart the standby database.
For example:
STARTUP
Open the Oracle wallet.
For Oracle Database 11g Release 2, as a user who has been granted the ALTER SYSTEM system privilege:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
For Oracle Database 12c, as a user who has been granted the SYSKM administrative privilege:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
Start the apply process on the standby database.
See Oracle Data Guard Concepts and Administration for information about starting the apply process on the standby database.
If you have a logical standby database configured and are using Oracle Database Release 12c, then you can migrate a TDE wallet to Oracle Key Vault.
Register the primary and standby endpoints to have the same default virtual wallet.
If necessary, download and install the okvclient.jar file to each endpoint.
Perform the migration on the primary database.
Complete the SQL Apply process on the logical standby and then restart the standby database.
See Oracle Data Guard Concepts and Administration for more information about the SQL Apply process.
To check that the status the that migration was successful, query the V$ENCRYPTION_WALLET dynamic view.
See "Checking the Oracle TDE Wallet Migration for a Logical Standby Database".
In an Oracle Database Release 12c environment, after you have migrated an Oracle TDE wallet in a logical standby configuration, you can check the configuration by querying the WRL_TYPE and WALLET_ORDER columns of the V$ENCRYPTION_WALLET dynamic view.
By querying the V$ENCRYPTION_WALLET view, you can track the primary keystore. If you have only a single wallet configured, then the WALLET_ORDER column is set to SINGLE. In a two-wallet or mixed configuration, the column is set to PRIMARY or SECONDARY, depending on where the active master key is located. Consider the following queries.
In the following query, only a single wallet is configured:
SELECT WRL_TYPE, WALLET_ORDER FROM V$ENCRYPTION_WALLET; WRL_TYPE WALLET_OR -------------------- --------- FILE SINGLE
In this query in a logical standby configuration, the active master key has been migrated to an Oracle Key Vault virtual wallet:
SELECT WRL_TYPE, WALLET_ORDER FROM V$ENCRYPTION_WALLET; WRL_TYPE WALLET_OR -------------------- --------- FILE SECONDARY HSM PRIMARY
This query should show the HSM as the PRIMARY wallet in both the primary and standby database for the logical configuration.