Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In this post I will show how to use Oracle Key Vault server to store a shared virtual wallet for Oracle
Database primary and standby server. Oracle Key Vault is a centralized key store that provides key life
cycle management, alerts (e.g. key expiration), reports, and other administrative functions.
By default the Master Encryption Key that is used for Transparent Data Encryption is stored in a software
wallet on the file system of the database server. Problems you might have with wallets on a file system in
large TDE deployments are
- user errors like forgotten password,
- skipped key rotations,
- accidental deletion of wallets
- etc.
I'll start to set up Transparent Data Encryption (TDE) with a software wallet on the file system. Eventually
I will migrate that wallet into Oracle Key Vault.
Having the Master Encryption Keys for Transparent Data Encryption stored in Key Vault makes it
particularly easy to perform re-key operations in an Active Data Guard environment. There's no need to
manually copy the wallet from the primary to the standby server anymore as you will see in the Test at the
end of this blog post.
Environment
The environment I used consists of the following:
Oracle Database 11g Enterprise Edition Release 2; 11.2.0.4 on the primary database and the
standby database.
Physical Data Guard is already configured.
Primary database server name is dg1 with a database name dg1.
Standby database server name is dg2 with a database name dg2.
Oracle Key Vault server is version 12.1.0.0.0.
It is important to do the steps in the right order on the primary and standby server.
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/admin/dg2/wallet)))
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/admin/dg1/wallet)))
System altered.
System altered.
Create some Encrypted Sample Data
Create encrypted tablespace emp.
Tablespace created.
User created.
Table created.
SQL>
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL>
1 row created.
SQL>
Commit complete.
System altered.
Log in as keyadmin.
Select
the Endpoints tab.
On the Register
Endpoint page, enter
the metadata for the
new endpoint.
Click Register.
When the Endpoint
page appears, copy
the Enrollment
Tokenfor DG1.
Assign
DG_WALLET as the
Default Wallet.
Click Save.
Select
the Endpoints tab.
On the Register
Endpoint page, enter
the metadata for the
new endpoint.
Click Register.
When the Endpoint
page appears, copy
the Enrollment
Token for DG1.
Assign
DG_WALLET as the
Default Wallet.
Click Save.
Save
the okvclient.jar to
e.g. /home/oracle.
On the primary server, navigate to /home/oracle. Run java command to install okvclient.jar.
When asked for a password, press <enter> for auto-login.
Click Enroll to
complete process.
Save
the okvclient.jar to
e.g. /home/oracle.
On the standby server, navigate to /home/oracle. Run java command to install okvclient.jar.
When asked for a password, press <enter> for auto-login.
Migrate Wallet
On the Standby Server
Close wallet on the standby server.
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=HSM))
Open wallet.
System altered.
System altered.
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=HSM)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/admin/dg1/wallet)))
WRL_TYPE STATUS
-------------------- ------------------
File CLOSED
HSM CLOSED
Migrate wallet.
System altered.
WRL_TYPE STATUS
-------------------- ------------------
File CLOSED
HSM OPEN
Test
On the Primary Server
Rekey the Master Encryption Key on the primary database.
System altered.
1 row created.
SQL> commit;
Commit complete.
Switch logfile.
System altered.
As you can see, encrypted data is readable on the standby database without manually copying the wallet
across.
That's it. It's a long post but the process is fairly straightforward I believe.