TDE and SEPS security - how do I get there?
If you read my last blog post on TDE and SEPS security you might be asking yourself, how do I get there ?
Many customers use the default location for the TDE wallet (because they are new to TDE) and find that it the default location will cause conflicts with other Oracle features.
The basic question around this would be.
"all my TDE wallets are in the default location of $ORACLE_HOME/admin/DB_UNQUE_NAME/wallet
or
$ORACLE_BASE/admin/DB_UNQUE_NAME/wallet
and I have multiple databases sharing the same $ORACLE_HOME location
how do I get to a dedication location for TDE?
The challenge, especially if you want to use WALLET_LOCATION (which the ZDLRA requires for real-time redo) is how to get from the default to a dedicated location.
The issue is that WALLET_LOCATION overrides the default location, unless a dedicated TDE wallet location is specified.
First-- The SQLNET.ORA file is ONLY read by the database at startup. Any changes made to the sqlnet.ora file will be effective when a database instance bounces. You do want to be careful with the coordination however, because a database instance can bounce at any time for any number of reasons so plan carefully.
Now let's start with the where to put the TDE wallet files. There are many options
1) Leave the wallet files within the $ORACLE_HOME directory using the $ORACLE_SID.
PROS - This is less disruptive since it uses a variable already set
CONS - Wallets have to be be moved to a new location with an out of place upgrade.
You need copy the wallet to this new location when implementing.
In a multi-node RAC cluster the location is different on each node
STEPS
PROS - Once set, you can leave the wallets after out-of-place upgrades
CONS - You need copy the wallet to this new location when implementing.
You need to set a variable to be used
STEPS
If you read my last blog post on TDE and SEPS security you might be asking yourself, how do I get there ?
Many customers use the default location for the TDE wallet (because they are new to TDE) and find that it the default location will cause conflicts with other Oracle features.
The basic question around this would be.
"all my TDE wallets are in the default location of $ORACLE_HOME/admin/DB_UNQUE_NAME/wallet
or
$ORACLE_BASE/admin/DB_UNQUE_NAME/wallet
and I have multiple databases sharing the same $ORACLE_HOME location
how do I get to a dedication location for TDE?
The challenge, especially if you want to use WALLET_LOCATION (which the ZDLRA requires for real-time redo) is how to get from the default to a dedicated location.
The issue is that WALLET_LOCATION overrides the default location, unless a dedicated TDE wallet location is specified.
First-- The SQLNET.ORA file is ONLY read by the database at startup. Any changes made to the sqlnet.ora file will be effective when a database instance bounces. You do want to be careful with the coordination however, because a database instance can bounce at any time for any number of reasons so plan carefully.
Now let's start with the where to put the TDE wallet files. There are many options
1) Leave the wallet files within the $ORACLE_HOME directory using the $ORACLE_SID.
PROS - This is less disruptive since it uses a variable already set
CONS - Wallets have to be be moved to a new location with an out of place upgrade.
You need copy the wallet to this new location when implementing.
In a multi-node RAC cluster the location is different on each node
STEPS
- For each database sharing the $ORACLE_HOME ensure there is a wallet subdirectory created on each node for every instance.
- Copy the wallet files to the appropriate subdirectory for each node and for each instance
- Update the SQLNET.ORA file to point to $ORACLE_HOME/admin/$ORACLE_SID/tde_wallet
2) Leave the wallet files within the original location in $ORACLE_HOME that uses the $DB_UNIQUE_NAME.
PROS - You don't have to move the wallet files
CONS - You need to set a new variable
Wallets have to be be moved to a new location with an out of place upgrade.
STEPS
- For ALL databases sharing the same $ORACLE_HOME ensure that the variable $DB_UNIQUE_NAME is set through srvctl (if available). This ensures all nodes in a RAC cluster have the variable set.
- Ensure all login scripts on all nodes (including the login script) have the variable $DB_UNIQUE_NAME set
- Update the SQLNET.ORA file to point to the $ORACLE_HOME/admin/$DB_UNIQUE_NAME/wallet
3) Leave (or move) the wallet files within the $ORACLE_BASE directory using the $ORACLE_SID.
PROS - This is less disruptive since it uses a variable already set
CONS - Wallets have to be be moved to a new location with an out of place upgrade.
You need copy the wallet to this new location when implementing.
In a multi-node RAC cluster the location is different on each node
STEPS
4) Migrate to $ORACLE_BASE and use $DB_UNIQUE_NAMECONS - Wallets have to be be moved to a new location with an out of place upgrade.
You need copy the wallet to this new location when implementing.
In a multi-node RAC cluster the location is different on each node
STEPS
- For each database sharing the $ORACLE_HOME ensure there is a wallet subdirectory created on each node for every instance within the $ORACLE_BASE/admin directory (unless this was already the default)
- If necessary, copy the wallet files to the appropriate subdirectory for each node and for each instance
- Update the SQLNET.ORA file to point to $ORACLE_BASE/admin/$ORACLE_SID/wallet
PROS - Once set, you can leave the wallets after out-of-place upgrades
CONS - You need copy the wallet to this new location when implementing.
You need to set a variable to be used
STEPS
- For each database sharing the $ORACLE_HOME ensure there is a wallet subdirectory created on each node for every $DB_UNIQUE_NAME within the $ORACLE_BASE/admin directory (unless this was already the default)
- Copy the wallet files to the appropriate subdirectory for each node and for each instance
- For ALL databases sharing the same $ORACLE_HOME ensure that the variable $DB_UNIQUE_NAME is set through srvctl (if available). This ensures all nodes in a RAC cluster have the variable set.
- Ensure all login scripts on all nodes (including the login script) have the variable $DB_UNIQUE_NAME set
- Update the SQLNET.ORA file to point to $ORACLE_BASE/admin/$DB_UNIQUE_NAME/tde_wallet
5) Migrate to ASM (Not available in 11.2) and use $DB_UNIQUE_NAME
PROS - Once set, you can leave the wallets after out-of-place upgrades
You now have a central location for a RAC cluster
CONS - You need copy the wallet to this new location when implementing.
You need to set a variable to be used
STEPS
You now have a central location for a RAC cluster
CONS - You need copy the wallet to this new location when implementing.
You need to set a variable to be used
STEPS
- For each database sharing the $ORACLE_HOME ensure there is a wallet subdirectory created in ASM for every $DB_UNIQUE_NAME
- Copy the wallet files to the appropriate subdirectory for each database
- For ALL databases sharing the same $ORACLE_HOME ensure that the variable $DB_UNIQUE_NAME is set through srvctl (if available). This ensures all nodes in a RAC cluster have the variable set.
- Ensure all login scripts on all nodes (including the login script) have the variable $DB_UNIQUE_NAME set
- Update the SQLNET.ORA file to point to +DISKGROUP/$DB_UNIQUE_NAME/tde_wallet
It's your choice which path to take. For me, the best (if ASM isn''t an option) is to put the TDE Wallets within $ORACLE_BASE/admin/$DB_UNIQUE_NAME/tde_wallet. That way with each out-of-place upgrade I don't have do anything with the wallet. As long as the sqlnet.ora points to the $ORACLE_BASE there won't be any changes.
NOTE: for 18c and above just migrate to WALLET_ROOT which allows you set the value for each database individually.