9 Using sqlnet.ora to Configure Transparent Data Encryption Keystores

If you do not want to use the WALLET_ROOT parameter to configure keystores, then you can use the sqlnet.ora file.

9.1 About the Keystore Location in the sqlnet.ora File

If you have not set the WALLET_ROOT parameter, then Oracle Database checks the sqlnet.ora file for the directory location of the keystore.

This applies to whether the keystore is a software keystore, a hardware module security (HSM) keystore, or an Oracle Key Vault keystore. You must edit the sqlnet.ora file to define a directory location for the keystore that you plan to create. Ensure that this directory exists beforehand. Preferably, this directory should be empty.

Note the following behavior when you must edit the sqlnet.ora file in an Oracle Real Application Clusters (Oracle RAC) or a multitenant environment:

  • In an Oracle RAC environment: If you are using the srvctl utility and if you want to include environment variables in the sqlnet.ora configuration file, then you must set these environment variables in both the operating system and the srvctl environment. Oracle recommends that you place the keystore on a shared file system, such as Oracle Automatic Storage Management (ASM) or NFS.

  • In a multitenant environment: If the sqlnet.ora file is in the CDB root, then the keystore location will be set for the entire CDB environment. You can configure a sqlnet.ora at the PDB level if the PDBs are working in isolated mode.

In the sqlnet.ora file, you must set the ENCRYPTION_WALLET_LOCATION parameter to specify the keystore location. When determining which keystore to use, Oracle Database searches for the keystore location in the following places, in this order:

  1. It attempts to use the keystore in the location specified by the parameter ENCRYPTION_WALLET_LOCATION in the sqlnet.ora file.

  2. If the ENCRYPTION_WALLET_LOCATION parameter is not set, then it attempts to use the keystore in the location that is specified by the parameter WALLET_LOCATION.

  3. If the WALLET_LOCATION parameter is also not set, then Oracle Database looks for a keystore at the default database location, which is $ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet or $ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet. (DB_UNIQUE_NAME is the unique name of the database specified in the initialization parameter file.) When the keystore location is not set in the sqlnet.ora file, then the V$ENCRYPTION_WALLET view displays the default location. You can check the location and status of the keystore in the V$ENCRYPTION_WALLET view.

By default, the sqlnet.ora file is located in the $ORACLE_HOME/dbs directory or in the location set by the TNS_ADMIN environment variable. Ensure that you have properly set the TNS_ADMIN environment variable to point to the correct sqlnet.ora file.

9.2 Configuring the sqlnet.ora File for a Software Keystore Location

Use the sqlnet.ora file to configure the keystore location for a regular file system, for multiple database access, and for use with Oracle Automatic Storage Management (ASM).

  • To create a software keystore on a regular file system, use the following format when you edit the sqlnet.ora file:

    ENCRYPTION_WALLET_LOCATION=
     (SOURCE=
      (METHOD=FILE)
       (METHOD_DATA=
        (DIRECTORY=path_to_keystore)))
    

If the path_to_keystore will contain an environment variable, then set this variable in the environment where the database instance is started and before you start the database. If you are using the srvctl utility to start the database, then set the environment variable in the srvctl environment as well, using the following command:

srvctl setenv database -db database_name -env "environment_variable_name=environment_variable_value"

9.3 Example: Configuring a Software Keystore for a Regular File System

You can configure a software keystore for a regular file system.

The following example shows how to configure a software keystore location in the sqlnet.ora file for a regular file system in which the database name is orcl.

ENCRYPTION_WALLET_LOCATION=
  (SOURCE=
   (METHOD=FILE)
    (METHOD_DATA=
     (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))

9.4 Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File

You can configure multiple databases to share the sqlnet.ora file.

The following example shows how to configure a software keystore location when multiple databases share the sqlnet.ora file.

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/etc/ORACLE/WALLETS/$ORACLE_SID/)))

9.5 Example: Configuring a Software Keystore for Oracle Automatic Storage Management

You can set the WALLET_ROOT and TDE_CONFIGURATION parameters for an Oracle Automatic Storage Management (ASM) disk group.

The following example shows how to configure a software keystore location in the sqlnet.ora file for an ASM file system:

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=+disk1/mydb/wallet)))

9.6 Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group

You can configure sqlnet.ora for an Oracle Automatic Storage Management (ASM) disk group.

The following format shows how to configure a software keystore if you want to create a software keystore location on an ASM disk group:

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=+ASM_file_path_of_the_diskgroup)))