1. Installation and Configuration Guide
  2. Post-installation
  3. Configure Transparent Data Encryption (TDE) and Data Redaction in OFSAA
  4. Transparent Data Encryption (TDE)

7.17.2 Transparent Data Encryption (TDE)

Transparent Data Encryption (TDE) enables you to encrypt sensitive data, such as Personally Identifiable Information (PII), that you store in tables and tablespaces. After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database, called a Keystore. For more details on TDE, see the Database Advanced Security Guide.
TDE tablespace encryption enables you to encrypt all of the data stored in a tablespace. To control the encryption, you use a Keystore and TDE master encryption key. Oracle Database supports both software keystores and hardware, or HSM-based, keystores. A software keystore is a container for the TDE master encryption key, and it resides in the software file system.
To configure TDE for OFSAA, follow these steps:
  1. Create a new PDB (19c)/ instance (18c) on the same or different Database Server for TDE. For more information, see Configure Software Keystore and Encrypted Tablespace Creation.
  2. Shutdown the OFSAAI Services.
  3. Export all Configuration, Atomic, and Sandbox Schemas as per the applications installed in your OFSAA instance.
    For example:
    expdp SYSTEM/oracle@OFSA19c2DB DIRECTORY=data_pump_dir DUMPFILE=ofsaaconf_ ofsaaatm_%U.dmp filesize=2G SCHEMAS=ofsaaconf,ofsaaatm LOGFILE=ofsaaconf_ ofsaaatm_exp.log

    Note:

    The above command will create data dumps as files of 2GB size each (multiples). Any other commands/ tools as appropriate may be used to archive the schemas.
  4. Import all schemas that are exported using the above command, into the new DB instance.
    For example:
    impdp SYSTEM/oracle@OFSA12nDB DIRECTORY=data_pump_dir DUMPFILE=ofsaaconf_ ofsaaatm_%U.dmp SCHEMAS=ofsaaconf,ofsaaatm LOGFILE=ofsaaconf_ofsaaatm_ imp.log

    Note:

    • Restoring the exported dumps creates Configuration and Atomic Schema(s) with the same user credentials as that of the source, along with the existing grants.
    • If schemas are restored using a tool/ mechanism other than as mentioned in Steps 1 and 2, retain the user credentials of Configuration and Atomic Schemas the same as in the Source environment, along with the Schema grants.
  5. Provide select grants on sys.V_$parameter to view Configuration and Atomic Schemas of Target Environment database.
    For example:
    Log in as sys user:
SQL> GRANT SELECT ON SYS.V_$PARAMETER TO ofsaaconf;
Grant succeeded
SQL> GRANT SELECT ON SYS.V_$PARAMETER TO ofsaaatm;
Grant succeeded
  6. Update .profile for ORACLE_SID environment variable with new ORACLE_ SID.
  7. Update JDBC URL by executing Port Changer utility. For details on how to execute Port Changer utility, see Changing IP/Hostname, Ports, Deployed paths, Protocol of the OFSAA Instance section under Generic Configurations chapter in OFS Analytical Applications Infrastructure Administration Guide.
  8. Navigate to the $FIC_WEB_HOME directory and execute the following command to trigger the creation of the EAR/WAR file:
    ./ant.sh
  9. The EAR/WAR file - <contextname>.ear/.war - is created in the $FIC_WEB_HOME directory.
  10. On completion of the EAR/WAR file creation, the message "BUILD SUCCESSFUL" is displayed.
  11. Edit the existing Connection Pool settings to point to the new JDBC URL and verify connections.
  12. Clear the webserver cache and redeploy the application onto your configured web application server.
  13. Restart the OFSAA Services. For more information, see Start the Infrastructure Services.