Integrate OKM and TDE
This section describes how to install and configure pkcs11_kms and the OKM cluster for use with TDE.
System Requirements for OKM and TDE
Using OKM with TDE requires the system to meet minimum requirements.
Oracle Key Manager
OKM 2.4.1 operating with Replication Schema version 13. Supported OKM management platforms for the GUI and CLI are documented in the OKM product release notes, which include specific considerations for Oracle Solaris and Microsoft Windows platforms.
pkcs11_kms
pkcs11_kms is supported on the following platforms:
- Oracle Solaris 11.x (all SRUs)
- Oracle Solaris 10 Update 10 pkcs11_kms patch 147441-03 for x86 or patch 147159-02 for SPARC, 32 bit or 64 bit
- Oracle Linux Server, release 5.5, 5.6, 5.9, 6.5, and 7
Oracle Database
OKM can be integrated with TDE as the following versions of the Oracle Database server on a supported pkcs11_kms platform:
- Oracle Database 11.2.0.2 with patch 12626642
- Oracle Database 11.2.0.4
- Oracle Database 12.1
- Oracle Database 12.2
Install OKM for TDE
Install OKM using the standard installation instructions, then use the procedures here for TDE.
The OKM cluster installation process is described in the Install the KMA. Typically, OKM installation involves engagement with Oracle Professional Services, to aid in planning, installation, and configuration service choices. Additionally, it is recommended that your security team be involved in the planning process.
After you establish a working OKM cluster, follow the OKM administration steps described in the configuration sections of this appendix.
Install pkcs11_kms
Install and configure the OKM PKCS#11 Provider, pkcs11_kms, on the Oracle database server(s).
Oracle Solaris 11
- Display the version of the pkcs_kms
package:
#> pkg info -r pkcs11_kms
- Enter the following command:
#> pkg install system/library/security/pkcs11_kms
- Install the provider into the Solaris Crypto Framework. The singel quotes are
significant.
# cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_kms.so.1'
- Enter the following sequence of commands to verify the
installation:
# cryptoadm list -m -v \ provider='/usr/lib/security/$ISA/pkcs11_kms.so.1'
This displays message: 'no slots presented' until kmscfg is run.
Oracle Solaris 10 Update 10
The pkcs distribution is installed as "SUNWpkcs11kms" in Solaris 10 Update 10.
SPARC systems require Solaris patch 147159-03 or later. x86 systems require Solaris patch 147441-03 or later. To download Solaris patches, go to: https://support.oracle.com
- Enter the following command to install the pkcs11_kms package for the hardware
platform.
# pkgadd [-d path to parent dir of package] SUNWpkcs11kms
- Install the provider into the Solaris Crypto Framework. The single quotes are
significant.
# cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_kms.so.1'
Oracle Linux Server
pkcs11_kms is distributed as patch 26093641 for Linux 6 and patch 25979695 for Linux
7 on the My Oracle Support site at https://support.oracle.com
- Log in and click the Patches & Updates tab and search for the specific patch ID directly.
- pkcs11_kms is distributed as an RPM package. Use RPM package manager commands to
install this software.
For example:
rpm -i pkcs11kms-1.3.0-1.x86_64.rpm
Uninstall pkcs11_kms
The procedures for unistalling pkcs11_kms depend on the platform.
Oracle Solaris 11
Enter the following commands:
# cryptoadm uninstall \
provider='/usr/lib/security/$ISA/pkcs11_kms.so.1'
# pkg uninstall system/library/security/pkcs11_kms
Oracle Solaris 10 Update 10
Enter the following command:
# pkgrm SUNWpkcs11kms
Oracle Linux Server
When packaged with Oracle Database, the pkcs11_kms provider will be uninstalled through the steps used to uninstall the Oracle Database product. If installed through another means, then follow the inverse procedures of the install using rpm.
For example:
# rpm -e pkcs11kms-1.3.0-1.x86_64.rpm
Configure Database for TDE
Configure the shared library file (pkcs_kms.so) for TDE access.
Each Oracle Database server must be running on a supported pkcs11_kms platform. For Oracle Database 12.2.0.2, mandatory patch 12626642 must be installed. This patch is available at the following URL:
https://updates.oracle.com/download/12626642.html
Once installed, the shared library file (pkcs_kms.so) must be configured for TDE access. The library path is OS-specific:
- /usr/lib/security/pkcs11_kms.so.1 (Solaris only, 32-bit)
- /usr/lib/security/amd64/pkcs11_kms.so.1 (Solaris only, 64-bit)
- /usr/lib64/pkcs11_kms.so.1 (Linux only, 64-bit)