14 Managing Keys for Oracle Products
You can use Oracle Key Vault with other Oracle features and products, such as Oracle GoldenGate or Oracle Data Guard.
- Using a TDE-Configured Oracle Database in an Oracle RAC Environment
Each Oracle Real Application Clusters (Oracle RAC) database has its own Oracle virtual wallet in Oracle Key Vault. - Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
Oracle Key Vault supports the use of Oracle wallets with Oracle GoldenGate shared secrets. - Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
You can perform the activities such as uploading Oracle wallets or using online master encryption keys in an Oracle Data Guard environment. - Uploading Keystores from Automatic Storage Management to Oracle Key Vault
You can copy a keystore from Automatic Storage Management (ASM) to Oracle Key Vault and vice versa in a two-step process. - MySQL Integration with Oracle Key Vault
You can manage TDE encryption keys in MySQL with Oracle Key Vault. - Other Oracle Database Features That Oracle Key Vault Supports
You can deploy Transparent Data Encryption (TDE) in multiple topologies with other database features that move data or use clustered deployments.
14.1 Using a TDE-Configured Oracle Database in an Oracle RAC Environment
Each Oracle Real Application Clusters (Oracle RAC) database has its own Oracle virtual wallet in Oracle Key Vault.
In an Oracle Real Application Clusters (Oracle RAC) environment, each Oracle RAC instance has its own endpoint in Oracle Key Vault; these endpoints share the same virtual wallet in Oracle Key Vault as their default wallet.
You can enable the cluster to share the virtual wallet by using either of the following approaches:
- If the Oracle RAC database is using TDE with individual wallets, then confirm that these wallets have the identical content. Execute the
mkstore -wrl /directory/to/TDE-wallet -list
command to compare the content of each wallet. If they all contain the same keys, then upload the content of one of them into the shared virtual wallet in Oracle Key Vault. - If the Oracle RAC database is using TDE with a shared wallet (which is the recommended deployment), then upload that wallet to Oracle Key Vault.
- Establish an auto-open connection with Oracle Key Vault.
- Migrate the Oracle RAC database to Oracle Key Vault.
As with single-instance database environments, after you download a password-protected wallet, you must manually open it. If you have one wallet on the primary node and then download the wallet to the other nodes, then you must explicitly open the wallets on each of these nodes.
Each Oracle RAC node is a different endpoint of the database and has its own individual persistent cache. For Oracle RAC databases, you should initiate a query from each Oracle RAC node to cache the latest master encryption key in the Oracle RAC node for uninterrupted operations
14.2 Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
Oracle Key Vault supports the use of Oracle wallets with Oracle GoldenGate shared secrets.
You can upload or migrate Oracle wallets that contain Oracle GoldenGate shared secrets and TDE master encryption keys to the Oracle Key Vault server.
- Oracle Wallets in an Oracle GoldenGate Environment
An Oracle GoldenGate shared secret can be in the same Oracle wallet where master encryption keys are stored. - Configuring Online Master Encryption Keys in an Oracle GoldenGate Deployment
There are two configuration steps to using the online master encryption key in an Oracle GoldenGate deployment. - Migration of TDE Wallets in Oracle GoldenGate to Oracle Key Vault
Oracle wallets can contain both a TDE master encryption key and an Oracle GoldenGate shared secret.
Parent topic: Managing Keys for Oracle Products
14.2.1 Oracle Wallets in an Oracle GoldenGate Environment
An Oracle GoldenGate shared secret can be in the same Oracle wallet where master encryption keys are stored.
In an environment where Oracle Key Vault is not used and an Oracle TDE-enabled database is configured with an Oracle wallet with Oracle GoldenGate, this database (called the source database) stores an Oracle GoldenGate shared secret in the same Oracle wallet where master encryption keys are stored.
This means that when you configure the source database as an Oracle Key Vault endpoint, the Oracle GoldenGate shared secret is stored in Oracle Key Vault in the same virtual wallet where the master encryption keys are stored for the TDE-enabled source database.
When you migrate an Oracle wallet that contains an Oracle GoldenGate shared secret and TDE master encryption keys to Oracle Key Vault using the okvutil
command-line utility, the default wallet for the TDE-enabled source database now stores the entire Oracle wallet migrated with shared secret and master encryption keys.
In addition, if the configured target database is an Oracle database, then you must ensure that this target database is TDE-enabled so that all the TDE commands can be replicated. The two Oracle TDE-enabled databases, source and target, do not need to have the same master encryption key in the Oracle wallet. If you configure this target database as a new Oracle Key Vault endpoint, then you can upload and download wallets to and from Oracle Key Vault as you normally would with any independent Oracle Key Vault endpoint. No additional configuration is necessary.
14.2.2 Configuring Online Master Encryption Keys in an Oracle GoldenGate Deployment
There are two configuration steps to using the online master encryption key in an Oracle GoldenGate deployment.
- Configure a connection between the source database in the GoldenGate deployment and Oracle Key Vault.
- Configure the storage of Oracle GoldenGate secrets in the Oracle wallet on the source database.
At this stage, the configuration is complete. If you have configured the sqlnet.ora
file correctly and completed the other configuration steps required for TDE on the source database, then when you set the encryption key (using either ALTER SYSTEM SET ENCRYPTION KEY
or ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
), a TDE master encryption key is created in Oracle Key Vault. You can encrypt tables or create encrypted tablespaces in the database. The encrypted data created in the source database continues to be replicated on the target database after you perform this procedure. The other Oracle GoldenGate shared secrets are stored in Oracle Key Vault.
See Also:
-
Step 1: Configure the Oracle Key Vault Server Environment for instructions to connect a source database in GoldenGate to Oracle Key Vault.
-
Oracle Database Advanced Security Guide for more information on configuring the storage of Oracle GoldenGate secrets in the source database.
14.2.3 Migration of TDE Wallets in Oracle GoldenGate to Oracle Key Vault
Oracle wallets can contain both a TDE master encryption key and an Oracle GoldenGate shared secret.
In an Oracle GoldenGate environment with a TDE-configured database, an Oracle wallet contains both the TDE master encryption keys and the Oracle GoldenGate shared secret.
You can also configure target Oracle TDE-enabled databases that are used in this Oracle GoldenGate environment to use Oracle Key Vault or continue to use an Oracle wallet. You should treat these databases as you would any standalone TDE database endpoint.
After you complete this migration, the configuration is complete. If you have configured the sqlnet.ora
file correctly and completed the other configuration required for TDE, then when you set the encryption key (using either ALTER SYSTEM SET ENCRYPTION KEY
or ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
), a TDE master encryption key is created in Oracle Key Vault. You can continue to create and use encrypted tables or tablespaces in the database. The encrypted data created in the source database continues to be replicated on the target database after this procedure is performed.
14.3 Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
You can perform the activities such as uploading Oracle wallets or using online master encryption keys in an Oracle Data Guard environment.
- About Uploading Oracle Wallets in an Oracle Data Guard Environment
The upload operation enables both a primary and standby to benefit from the use of Oracle wallets. - Uploading Oracle Wallets in an Oracle Data Guard Environment
You can upload an Oracle wallet to an Oracle Data Guard environment. - Performing an Online Master Encryption Key Connection in an Oracle Data Guard Environment
The procedure for performing an online master encryption key in an Oracle Data Guard environment is the same as in a standard Oracle Database environment. - Migrating Oracle Wallets in an Oracle Data Guard Environment
You can migrate an Oracle wallet in an Oracle Data Guard environment by usingokvutil
and SQL*Plus. - Reverse Migrating Oracle Wallets in an Oracle Data Guard Environment
You can useokvutil
and SQL*Plus to reverse migrate an Oracle wallet in an Oracle Data Guard environment. - Migrating an Oracle TDE Wallet to Oracle Key Vault for a Logical Standby Database
You can migrate a TDE wallet to Oracle Key Vault to a logical standby database using Oracle Database release 12c or 18c. - Checking the Oracle TDE Wallet Migration for a Logical Standby Database
You use SQL*Plus to check the migration.
Parent topic: Managing Keys for Oracle Products
14.3.1 About Uploading Oracle Wallets in an Oracle Data Guard Environment
The upload operation enables both a primary and standby to benefit from the use of Oracle wallets.
In an Oracle Data Guard environment with a TDE-enabled primary and standby databases using an Oracle wallet, you must physically copy the Oracle wallet file from the primary database to the standby and restart the managed recovery process after the initial TDE configuration or later, when you rekey the master encryption key on the primary database.
Whereas, when using Oracle Key Vault with a TDE-enabled Oracle Data Guard database, you must register the primary and standby databases in Oracle Key Vault as endpoints. You must ensure that the endpoints for the primary and all standby databases share the same virtual wallet.
This way, the primary and standby databases can benefit from centralized key management without the need of a manual copy of the wallet file from the primary database to the standby database.
In an Oracle Data Guard environment, for a persistent cache, a rekey operation on the primary database will cache the master encryption key in its own persistent cache. When the new redo logs from the primary are applied on the standby, only then will the standby fetch the new key from the Oracle Key Vault and cache it in the persistent cache of the standby. There is a time lag between the caching of the key in primary and the caching of the key in standby. Oracle recommends that you synchronize the primary and standby as soon as possible after the rekey operation. In addition, you should confirm the content of the persistent cache on the primary and standby databases with the following command:
$ okvutil list -t okv_peristent_cache -l /<WALLET_ROOT>/okv/conf/
14.3.2 Uploading Oracle Wallets in an Oracle Data Guard Environment
You can upload an Oracle wallet to an Oracle Data Guard environment.
- Register one endpoint each for the primary and standby databases.
- Download the
okvclient.jar
file for each endpoint on the respective databases. - Ensure that both the primary and standby database endpoints use the same default virtual wallet.
Related Topics
14.3.3 Performing an Online Master Encryption Key Connection in an Oracle Data Guard Environment
The procedure for performing an online master encryption key in an Oracle Data Guard environment is the same as in a standard Oracle Database environment.
14.3.4 Migrating Oracle Wallets in an Oracle Data Guard Environment
You can migrate an Oracle wallet in an Oracle Data Guard environment by using okvutil
and SQL*Plus.
- Use the
okvutil upload
command to upload the contents of the local Oracle wallet that is on the primary database to Oracle Key Vault. - Perform the steps to migrate the wallet, as described in Migrating an Existing TDE Wallet to Oracle Key Vault.
- Close the existing Oracle wallet on the standby database.
- For Oracle Database 11g release 2, as a user who has been granted the
ALTER SYSTEM
system privilege:ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "Key_Vault_endpoint_password";
- For Oracle Database 12c or later, as a user who has been granted the
SYSKM
administrative privilege:ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Key_Vault_endpoint_password";
- For Oracle Database 11g release 2, as a user who has been granted the
- Restart the standby database.
- Open the Oracle wallet.
- For Oracle Database 11g release 2, as a user who has been granted the
ALTER SYSTEM
system privilege:ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
- For Oracle Database 12c or 18c, as a user who has been granted the
SYSKM
administrative privilege:ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
- For Oracle Database 11g release 2, as a user who has been granted the
- Start the apply process on the standby database, as described in Oracle Data Guard Concepts and Administration.
14.3.5 Reverse Migrating Oracle Wallets in an Oracle Data Guard Environment
You can use okvutil
and SQL*Plus to reverse migrate an Oracle wallet in an Oracle Data Guard environment.
- Use the
okvutil download
command to download the Oracle wallet keys onto the primary database from Oracle Key Vault. Download these keys to a local keystore. - Perform a reverse migration, as described in Oracle Database Advanced Security Guide.
- Close the existing Oracle wallet on the standby database.
- For Oracle Database 11g release 2:
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "Key_Vault_endpoint_password";
- For Oracle Database 12.1.0.2 and
later:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Key_Vault_endpoint_password";
- For Oracle Database 11g release 2:
- Copy the Oracle wallet from the primary database to the standby database, as described in Oracle Database Advanced Security Guide.
- Open the Oracle wallet on the standby database.
- For Oracle Database 11g release 2:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
-
For Oracle Database 12.1.0.2 and later:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Key_Vault_endpoint_password";
- For Oracle Database 11g release 2:
- Start the apply process on the standby database, as described in Oracle Data Guard Concepts and Administration.
If the endpoint password and the local TDE wallet password are different, then use the auto-login HSM feature.
14.3.6 Migrating an Oracle TDE Wallet to Oracle Key Vault for a Logical Standby Database
You can migrate a TDE wallet to Oracle Key Vault to a logical standby database using Oracle Database release 12c or 18c.
- Register the primary and standby endpoints to have the same default virtual wallet.
- If necessary, download and install the
okvclient.jar
file to each endpoint. - Perform the migration on the primary database.
- Complete the SQL apply process on the logical standby and then restart the standby database, as described in Oracle Data Guard Concepts and Administration.
- To check that the status the that migration was successful, query the
V$ENCRYPTION_WALLET
dynamic view.
14.4 Uploading Keystores from Automatic Storage Management to Oracle Key Vault
You can copy a keystore from Automatic Storage Management (ASM) to Oracle Key Vault and vice versa in a two-step process.
- About Uploading Keystores from Automatic Storage Management to Oracle Key Vault
Uploading a keystore from Oracle Automatic Storage Management (ASM) to Oracle Key Vault is a two-step process. - Uploading a Keystore from Automatic Storage Management to Oracle Key Vault
You can use theADMINISTER KEY MANAGEMENT
statement to move a software keystore out of Automatic Storage Management (ASM). - Copying a Keystore from Oracle Key Vault to Automatic Storage Management
You use bothokvutil download
and SQL*Plus to complete the copy process.
Parent topic: Managing Keys for Oracle Products
14.4.1 About Uploading Keystores from Automatic Storage Management to Oracle Key Vault
Uploading a keystore from Oracle Automatic Storage Management (ASM) to Oracle Key Vault is a two-step process.
-
Copy the keystore from ASM to the file system.
-
Upload the keystore from the file system to Oracle Key Vault.
Copying a keystore from ASM to the file system or vice versa requires the keystore merge operation that merges one software keystore to an existing key store. Therefore, in order to copy a keystore from a source path to a target path, a keystore must exist at the target path.
14.4.2 Uploading a Keystore from Automatic Storage Management to Oracle Key Vault
You can use the ADMINISTER KEY MANAGEMENT
statement to move a software keystore out of Automatic Storage Management (ASM).
14.4.3 Copying a Keystore from Oracle Key Vault to Automatic Storage Management
You use both okvutil download
and SQL*Plus to complete the copy process.
14.5 MySQL Integration with Oracle Key Vault
You can manage TDE encryption keys in MySQL with Oracle Key Vault.
Oracle Key Vault supports integration with MySQL from Release 12.2 or later.
Note:
MySQL Windows databases are not supported.Oracle Key Vault can manage MySQL TDE encryption keys.
Parent topic: Managing Keys for Oracle Products
14.6 Other Oracle Database Features That Oracle Key Vault Supports
You can deploy Transparent Data Encryption (TDE) in multiple topologies with other database features that move data or use clustered deployments.
Data movement and replication are major challenges for Oracle Advanced Security TDE because it must keep the master encryption key synchronized at both source and target. To help with these challenges, Oracle Key Vault supports common Oracle Database features.
To move data, Oracle Key Vault supports the following:
-
Oracle Recovery Manager (RMAN) backup and recovery operations
-
Oracle Data Pump
-
Transportable tablespaces (Oracle Database 12c or later)
-
Pluggable database plug/unplug
-
Pluggable database remote clones
For clustered deployments, Oracle Key Vault supports the following:
-
Oracle Data Guard
-
Oracle Real Application Clusters (Oracle RAC)
-
Oracle GoldenGate
Note:
You can rotate the TDE master encryption key of the database only from the database using the Administer Key Management Set Encryption Key commands. You cannot initiate the TDE master encryption key rotation centrally from the Oracle Key Vault management console.Related Topics
Parent topic: Managing Keys for Oracle Products