<<Back to Oracle DB Security Main Page
Configuring Oracle Software Keystore for United Mode
- Enable United Mode
Step2> If necessary, create a wallet directory to hold the wallet
$mkdir -p /u01/dbatst1/stage/wallet
Step3> Set WALLET_ROOT and TDE_CONFIGURATION parameter as shown below
Create Pfile
SQL> create pfile='/tmp/initTEST.ora' from spfile;
File created.
Enter the following parameters in Pfile /tmp/initTEST.ora
wallet_root=/u01/dbatst1/stage/wallet
tde_configuration="keystore_configuration=file"
Start the database using Pfile /tmp/initTEST.ora
SQL> shut immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup nomount pfile='/tmp/initTEST.ora';
ORACLE instance started.
Total System Global Area 2147482464 bytes
Fixed Size 8899424 bytes
Variable Size 1912602624 bytes
Database Buffers 218103808 bytes
Redo Buffers 7876608 bytes
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /u01/dbatst1/stage/wallet
SQL> show parameter tde_configuration
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string keystore_configuration=file
Create spfile from modified pfile
SQL> create spfile from pfile='/tmp/initTEST.ora';
File created.
Restart the database with spfileSQL> shut immediate;
ORA-01507: database not mounted
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 2147482464 bytes
Fixed Size 8899424 bytes
Variable Size 1912602624 bytes
Database Buffers 218103808 bytes
Redo Buffers 7876608 bytes
Database mounted.
Database opened.
Confirm that the TDE_CONFIGURATION parameter was set correctly
SQL> select ec.CON_ID,pd.NAME,ec.KEYSTORE_MODE from V$ENCRYPTION_WALLET ec,v$PDBS pd where ec.CON_ID=pd.CON_ID;
CON_ID NAME KEYSTORE
---------- -------------------- --------
2 PDB$SEED UNITED
3 PDB01 UNITED
- Configuring Software Keystore in United Mode
Create the Software Keystore
Log in to the CDB root and create the keystore
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY password;
keystore altered.
Open the keystore in the CDB root
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;
keystore altered.
Verify the KeyStore Status
SQL> SELECT CON_ID, STATUS, WRL_PARAMETER FROM V$ENCRYPTION_WALLET;
CON_ID STATUS WRL_PARAMETER
---------- ---------------------------------------- ----------------------------------------------------------------------
1 OPEN_NO_MASTER_KEY /u01/dbatst1/stage/wallet/tde/
2 CLOSED
3 CLOSED
Open the Keystore for each PDB's
connect to the PDB or CDB and set PDB
SQL> alter session set container=PDB01;
SQL> SELECT STATUS FROM V$ENCRYPTION_WALLET;
STATUS
------------------------------
CLOSED
Session altered.
SQL>ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;
Verify the KeyStore Status
SQL> SELECT CON_ID, STATUS, WRL_PARAMETER FROM V$ENCRYPTION_WALLET;
CON_ID STATUS WRL_PARAMETER
---------- ---------------------------------------- ----------------------------------------------------------------------
3 OPEN_NO_MASTER_KEY
- Set the TDE Master Encryption Key in the Software Keystore in United Mode
Log in to the CDB root
SQL> ADMINISTER KEY MANAGEMENT SET KEY
IDENTIFIED BY password
WITH BACKUP USING 'emp_key_backup';
keystore altered.
Set the TDE Master Encryption Key in Each United PDB
Ensure that the database is open in READ WRITE mode.
SQL>alter session set container=PDB01;
SQL> ADMINISTER KEY MANAGEMENT SET KEY
IDENTIFIED BY password
WITH BACKUP USING 'pdb_key_backup';
keystore altered.
SQL> SELECT CON_ID, STATUS, WRL_PARAMETER FROM V$ENCRYPTION_WALLET;
Confirm that the TDE master encryption key is set.
SQL> SELECT MASTERKEY_ACTIVATED FROM V$DATABASE_KEY_INFO;
MASTERKEY_ACTIVATED
------------------------------------------------------------
YES
Encrypt Your Data in United Mode
Comments
Post a Comment