1. Using Oracle GoldenGate for Oracle Database
  2. Additional Configuration Steps for Using Classic Capture
  3. Configuring Oracle TDE Data in Classic Capture Mode
  4. Configuring Classic Capture for TDE Support
  5. Oracle Security Officer Tasks

Oracle Security Officer Tasks

  1. Oracle GoldenGate requires the use of a software wallet even with HSM. If you are currently using HSM-only mode, move to HSM-plus-wallet mode by taking the following steps:

    1. Change the sqlnet.ora file configuration as shown in the following example, where the wallet directory can be any location on disk that is accessible (rwx) by the owner of the Oracle Database. This example shows a best-practice location, where my_db is the $ORACLE_SID. 

      ENCRYPTION_WALLET_LOCATION=
 (SOURCE=(METHOD=HSM)(METHOD_DATA=
   (DIRECTORY=/etc/oracle/wallets/my_db)))

    2. Log in to orapki (or Wallet Manager) as the owner of the Oracle Database, and create an auto-login wallet in the location that you specified in the sqlnet.ora file. When prompted for the wallet password, specify the same password as the HSM password (or HSM Connect String). These two passwords must be identical. 

      cd /etc/oracle/wallets/my_db
orapki wallet create -wallet . -auto_login[_local]

      Note:

      The Oracle Database owner must have full operating system privileges on the wallet.

    3. Add the following entry to the empty wallet to enable an 'auto-open' HSM:

      mkstore -wrl . -createEntry ORACLE.TDE.HSM.AUTOLOGIN non-empty-string

  2. Create an entry named ORACLEGG in the wallet. ORACLEGG must be the name of this key. The password for this key must be the agreed-upon shared secret, but do not enter this password on the command line. Instead, wait to be prompted. 

    mkstore -wrl ./ -createEntry ORACLE.SECURITY.CL.ENCRYPTION.ORACLEGG
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Your secret/Password is missing in the command line
Enter your secret/Password: sharedsecret
Re-enter your secret/Password: sharedsecret
Enter wallet password: hsm/wallet_password

  3. Verify the ORACLEGG entry. 

    mkstore -wrl . -list
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: hsm/wallet_password
Oracle Secret Store entries:
ORACLE.SECURITY.CL.ENCRYPTION.ORACLEGG

  4. Log in to SQL*Plus as a user with the SYSDBA system privilege.

  5. Close and then re-open the wallet. 

    SQL> alter system set encryption wallet close identified by "hsm/wallet_password";
System altered.
SQL> alter system set encryption wallet open identified by "hsm/wallet_password";
System altered.

    This inserts the password into the auto-open wallet, so that no password is required to access encrypted data with the TDE master encryption key stored in HSM.

  6. Switch log files.

    alter system switch logfile;
System altered.

  7. If this is an Oracle RAC environment and you are using copies of the wallet on each node, make the copies now and then reopen each wallet.

Note:

Oracle recommends using one wallet in a shared location, with synchronized access among all Oracle RAC nodes.

Parent topic: Configuring Classic Capture for TDE Support