Migrate Master Keys from the Oracle Wallet
Retain the old wallet and have OKM generate a new master key.
Refer to the document Oracle Advanced Security Transparent Data Encryption Best Practices, referenced at the beginning of this appendix. The Oracle Database Administrator must perform re-key operations before the key's lifecycle dictates. Otherwise, the database will not start. Refer to the various Oracle Database and TDE documents for the DDL used to perform this operation.
Re-Key Due to OKM Policy Based Key Expiration
The Oracle Database Administrator must perform re-key operations before the key's lifecycle dictates, otherwise the database will not start.
Once a key reaches the post-operational state, each key retrieval by TDE will trigger a warning in the OKM audit logs indicating that a post-operational key has been retrieved. Presence of these audit messages is an indication that it is time to re-key the database instance's master encryption key. The OKM audit message identifies the specific agent and key that is being retrieved to facilitate identification of the Oracle Database instance and master encryption key that has reached the post-operational state. Notification through SNMP v3 informs or SNMP v2 traps may be configured in OKM to support automation of this process.
The pkcs11_kms provider will attempt to inform its PKCS#11 consumers that the key has reached the post-operational state. This is done by setting the PKCS#11 "CKA_ENCRYPT" attribute to false for the master key.
All released versions of Oracle Database 11 and 12 will try to use a key to encrypt data after its encryption period has expired. TDE will never automatically re-key the TDE master key.
On Solaris, you may see errors similar to the following in the database alert logs:
HSM heartbeat died. Likely the connection has been lost. PKCS11 function C_EncryptInit returned PKCS11 error code: 104 HSM connection lost, closing wallet
If this error is encountered, the Database Administrator must perform the following actions:
On Oracle Linux, the default for the pkcs11_kms provider allows use of deactivated keys, however, you will see errors similar to the following in the /var/log/messages file:
pkcs11_kms: Encrypting with key which does not support encryption (check to see if key is expired or revoked
If this message is encountered, the database administrator should re-key the TDE master key as described in the Oracle Database administration documentation.
In spite of this, TDE will continue to use the key and not perform an automatic re-key operation. OKM administrators observing the post-operational key retrieval audit warnings must inform a Database Administrator that it is time to re-key their database instance's master key.