TDE and SEPS security
I am seeing TDE used more and more at customers as security concerns increase.
This blog post will go through configuring TDE and SEPS security (which ZDLRA uses) together.
If OID is used also, this post talks about how to combine OID and SEPS.
First off, the solution depends on the version of oracle you are using. Depending on your configuration SEPS security and TDE may use the same wallet location. This is NOT recommended.
Below is the hierarchy of where Oracle expects the TDE wallet to be. As soon as it finds the setting it stops
TDE_WALLET_LOCATION
WALLET_LOCATION
$ORACLE_HOME/admin/$DB_UNIQUE_NAME/wallet
$ORACLE_BASE/admin/$DB_UNIQUE_NAME/wallet
**NOTE: unless the TDE_WALLET_LOCATION is already set,
setting the WALLET_LOCATION will break TDE
When using SEPS security it is critical that you properly set the TDE wallet location first.
Best practice is the set the ENCRYPTION_WALLET_LOCATION in the sqlnet.ora.
If there are multiple databases sharing the same $ORACLE_HOME (multi-homing), then the location needs to use a variable.
First ensure that the variable set is set when servctl is used to restart the databases.
Second ensure the variable is set during any scripts and when logging into the host
Then use this variable within the sqlnet.ora
I am seeing TDE used more and more at customers as security concerns increase.
This blog post will go through configuring TDE and SEPS security (which ZDLRA uses) together.
If OID is used also, this post talks about how to combine OID and SEPS.
First off, the solution depends on the version of oracle you are using. Depending on your configuration SEPS security and TDE may use the same wallet location. This is NOT recommended.
Below is the hierarchy of where Oracle expects the TDE wallet to be. As soon as it finds the setting it stops
TDE_WALLET_LOCATION
WALLET_LOCATION
$ORACLE_HOME/admin/$DB_UNIQUE_NAME/wallet
$ORACLE_BASE/admin/$DB_UNIQUE_NAME/wallet
**NOTE: unless the TDE_WALLET_LOCATION is already set,
setting the WALLET_LOCATION will break TDE
When using SEPS security it is critical that you properly set the TDE wallet location first.
11.2
First let's talk through 11.2 and the recommendation for TDE encryption wallet. This is the most basic configuration setting.Best practice is the set the ENCRYPTION_WALLET_LOCATION in the sqlnet.ora.
If there are multiple databases sharing the same $ORACLE_HOME (multi-homing), then the location needs to use a variable.
Single home example.
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/tde_wallet)))
Multi-Home examples
Example 1 - using the $ORACLE_SID variable for the location
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/tde_wallet)))
Example 2 - using a new variable
First ensure that the variable set is set when servctl is used to restart the databases.
srvctl setenv database -db database_name -env "DB_UNIQUE_NAME=database_name
"
Second ensure the variable is set during any scripts and when logging into the host
export $DB_UNIQUE_NAME=database_name
Then use this variable within the sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/admin/$DB_UNIQUE_NAME/tde_wallet)))
** NOTE: you need to create the directories for all databases sharing that same $ORACLE_HOME even if they don't use TDE or SEPS.
12.1/12.2
The configuration for 12.1 is similar to 11.2 with one exception, 12.1 allows you to use ASM for the location of the wallet in a RAC environment.
Here are the examples of ASM based on the 11.2 information.
Here are the examples of ASM based on the 11.2 information.
Single home example.
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=+DATA/tde_wallet)))
Multi-Home example
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=+DATA/$DB_UNIQUE_NAME/tde_wallet)))
18c+
Oracle version 18c adds more functionality for the TDE wallet.
18C introduces a new init parameter for TDE called "WALLET_ROOT". in fact, TDE_ENCRYPTION_LOCATION will be depreciated (see below from 18c docs).
WALLET_ROOT is set to the starting location of the TDE wallet, and uses the location as the starting location for wallets for both the CDB, and subdirectories for PDB wallets.
WALLET_ROOT can either be a local file system (or NAS).
Example
WALLET_ROOT=wallet-root-directory-path
It can also be set to an ASM location
Example
WALLET_ROOT=+disk-group-name/db-unique-name
No comments:
Post a Comment