How to migrate your local TDE wallet to Oracle Key Vault .
Here and here are the links to the 21C document that I used for to go through this process.
Also, in order to keep up on OKV and new features, the Product manager Peter Wahl has a great blog where you can learn about on the latest additions to the product, and new release information.
I am assuming that you installed the OKV server cluster by this point.
NOTE: If you are using the RestAPI method of installing the client, you can go straight to step #6. Be sure you have changed the password using the command below.
Below are the steps.
1) Add the database/host to OKV as an endpoint.
Remember in OKV, each endpoint is unique, but a wallet is shared between endpoints.
I navigate to the endpoint tab and click on the "Add" button.
I fill in the information for my database (TDETEST from my previous post). This is the CDB, as I am using a UNITED wallet for all PDBs that are a member of my CDB. Once filled in I click on the "Register" button.
2) Create wallet in OKV and associate it with the endpoint(s)
3) Make this wallet the default wallet for the endpoint
4) Download the OKV client install file
- Click on the "Submit Token" button, and it will validate the token
- Click on "Enroll" to begin the download of the install file. If SMTP was configured, you can also have the software install e-mailed to the endpoint administrator.
5) Transfer the .jar file to the database host and install it.
The pre-requisites are in the install guide. The oracle environment during the install must be set to the database you are configuration ($ORACLE_HOME, $ORACLE_BASE, $ORACLE_SID)
[oracle@oracle-server okvtest]$ java -jar /home/oracle/app/oracle/admin/tdetest/tdetest_okv.jar -d /home/oracle/app/oracle/admin/tdetest/wallet/okv
Detected JAVA_HOME: /home/oracle/db_19c/jdk
Enter new Key Vault endpoint password (<enter> for auto-login):
Confirm new Key Vault endpoint password:
The endpoint software for Oracle Key Vault installed successfully.
Deleted the file : /home/oracle/app/oracle/okvfiles/okvtest/okvtest_install.jar
[oracle@oracle-server okvtest]$
If this is the first time OKV is being installed on the server, you need to execute the root.sh script (located in the /bin directory within the install location) as root. If it has already been executed, you can skip this step.
Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Setting PKCS library file permissions
Finally, verify that we can connect OKV by executing "okvutil list". If successful, you will receive "default template". This script is located in the /bin directory within the install.
oracle@oracle-server bin]$ ./okvutil list
Enter Oracle Key Vault endpoint password:
Unique ID Type Identifier
E8C825BB-649C-451E-98B8-E128B675FD31 Template Default template for TDETEST_PRIMARY_NODE1
6) Review how OKV connects to the database.
- WALLET_ROOT is set in the database, and within WALLET_ROOT there is an "/okv" directory where the endpoint software must be installed.
- On the OS itself, a library is installed (as root if it's not already there) to take care of the encryption. The location on Linux is "/opt/oracle/extapi/64/hsm/oracle"
- A link is created to a config file for this endpoint. This link is located in $ORACLE_BASE/okv/$DB_UNIQUE_NAME and links to 2 files that were part of the install. okvclient.lck, and okvclient.ora.
7) Upload the keys from the local wallet into OKV
[oracle@oracle-server bin]$ ./okvutil upload -t WALLET -l /home/oracle/app/oracle/admin/tdetest/wallet/tde -g tdetest -v 2
okvutil version 21.1.0.0.0
Endpoint type: Oracle Database
Configuration file: /home/oracle/app/oracle/admin/tdetest/wallet/okv/conf/okvclient.ora
Server: 10.0.0.150:5696
Standby Servers:
Uploading from /home/oracle/app/oracle/admin/tdetest/wallet/tde
Enter source wallet password:
Enter Oracle Key Vault endpoint password:
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KT.ENCRYPTION.AQDBKozP1k8Mvwq4sH7ptKYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AQDBKozP1k8Mvwq4sH7ptKYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AQDBKozP1k8Mvwq4sH7ptKYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AYURdnq5XU8Rv7IipWqWgHoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AYURdnq5XU8Rv7IipWqWgHoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AYURdnq5XU8Rv7IipWqWgHoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.BF507489CE7703B4E0536800000A8180
ORACLE.SECURITY.KM.ENCRYPTION.AXLqsppXAU9kv9JLJCcfGYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AXLqsppXAU9kv9JLJCcfGYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AXLqsppXAU9kv9JLJCcfGYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.BF5072A8540A032BE0536800000AB0DD
ORACLE.SECURITY.KM.ENCRYPTION.AXDVlynThU8bvwblg7vruGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AXDVlynThU8bvwblg7vruGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KT.ENCRYPTION.AXDVlynThU8bvwblg7vruGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.BF50708B8BEB0266E0536800000A7B90
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Uploaded 4 TDE keys
Uploaded 0 SEPS entries
Uploaded 0 other secrets
Uploaded 6 opaque objects
Uploading private persona
Uploading certificate request
Uploading trust points
Uploaded 1 private keys
Uploaded 1 certificate requests
Uploaded 0 user certificates
Uploaded 0 trust points
Upload succeeded
Within the upload, I can see where the TDE master keys are being uploaded for my PDBs by looking at the PDB guids.
PDB PDB_ID
SQL> column name format a40
SQL> select name,guid from v$pdbs;
NAME GUID
---------------------------------------- --------------------------------
PDB$SEED BF5039AF39966A70E0536800000A09E1
TDEPDB1 BF50708B8BEB0266E0536800000A7B90
TDEPDB2 BF5072A8540A032BE0536800000AB0DD
TDEPDB3 BF507489CE7703B4E0536800000A8180
And I can look in the wallet in OKV (filtering by Symmetric key) and see the contents that was uploaded from the local wallet. In this screen I can identify the PDB key because I used tags when I created the keys.
8) Add secret to allow use of "External Store".
1) I am going to add the OKV password to the keystore as a secret to allow me to use the "EXTERNAL STORE" instead of the password.
ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2021!' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/home/oracle/app/oracle/admin/tdetest/wallet/tde_seps';
- The keystore must be in a subdirectory of the WALLET_ROOT location called "tde_seps" in order to be found.
- The "FOR CLIENT" entry must be 'OKV_PASSWORD' to be found.
- It must be AUTO_LOGIN so that it can be opened and used.
2) I am going to add the OKV password to the keystore as a secret to allow me to auto logon to the OKV Keystore.
ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2021!' FOR CLIENT 'HSM_PASSWORD' TO AUTO_LOGIN KEYSTORE '/home/oracle/app/oracle/admin/tdetest/wallet/tde';
3) I need to change the TDE_CONFIGURATION (which is dynamic).
'ALTER SYSTEM SET TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=OKV|FILE" SCOPE = BOTH;
4) I am going to bounce the database, and ensure that both my file and OKV wallets open up properly.
PDB Name Type WRL_PARAMETER Status WALLET_TYPE KEYSTORE Backed Up
---------- ---------- -------------------------------------------------- ------------------------------ -------------------- -------- ----------
CDB$ROOT FILE /home/oracle/app/oracle/admin/tdetest/wallet//tde/ OPEN AUTOLOGIN NONE YES
CDB$ROOT OKV OPEN_NO_MASTER_KEY OKV NONE UNDEFINED
PDB$SEED FILE OPEN AUTOLOGIN UNITED YES
PDB$SEED OKV OPEN_NO_MASTER_KEY OKV UNITED UNDEFINED
TDEPDB1 FILE OPEN AUTOLOGIN UNITED YES
TDEPDB1 OKV OPEN_NO_MASTER_KEY OKV UNITED UNDEFINED
TDEPDB2 FILE OPEN AUTOLOGIN UNITED YES
TDEPDB2 OKV OPEN_NO_MASTER_KEY OKV UNITED UNDEFINED
TDEPDB3 FILE OPEN AUTOLOGIN UNITED YES
TDEPDB3 OKV OPEN_NO_MASTER_KEY OKV UNITED UNDEFINED
10 rows selected.
9) Combine the local wallet File and OKV.
Next I need to migrate the keys using the local wallet. Note this will rekey the database.
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "0KV2021!" MIGRATE USING "F1LE2021!" WITH BACKUP;
PDB Name Type WRL_PARAMETER Status WALLET_TYPE KEYSTORE Backed Up
---------- ---------- -------------------------------------------------- ------------------------------ -------------------- -------- ----------
CDB$ROOT FILE /home/oracle/app/oracle/admin/tdetest/wallet//tde/ OPEN AUTOLOGIN NONE YES
CDB$ROOT OKV OPEN OKV NONE UNDEFINED
PDB$SEED FILE CLOSED UNKNOWN UNITED UNDEFINED
PDB$SEED OKV CLOSED UNKNOWN UNITED UNDEFINED
TDEPDB1 FILE OPEN AUTOLOGIN UNITED YES
TDEPDB1 OKV OPEN OKV UNITED UNDEFINED
TDEPDB2 FILE OPEN AUTOLOGIN UNITED YES
TDEPDB2 OKV OPEN OKV UNITED UNDEFINED
TDEPDB3 FILE OPEN AUTOLOGIN UNITED YES
TDEPDB3 OKV OPEN OKV UNITED UNDEFINED
9) Combine the local wallet
The most important notes I found during this process
- WALLET_ROOT and TDE_CONFIGURATION should be used in 19c.
- The password for OKV
- add secret to the wallet in WALLET_ROOT/tde_seps using client 'OKV_PASSWORD'
- add secret to the wallet in WALLET_ROOT/tde using client 'HSM_PASSWORD'
- OKV must be installed in WALLET_ROOT/okv
- The local wallet for TDE must be in WALLET_ROOT/tde
what about sqlnet.ora no changes to HSM ?
ReplyDeleteIf you are using the "WALLET_ROOT" parameter, you no longer have to deal with the sqlnet.ora. This is a much better solution for environments with multiple databases sharing the same $ORACLE_HOME location.
DeleteHi Bryan. Thanks for the blog post. Could you clarify step #8? Why is the local TDE keystore mentioned as "/home/oracle/app/oracle/admin/tdetest/wallet/tde_seps" instead of "/home/oracle/app/oracle/admin/tdetest/wallet/tde"? Do you explicitly create tde_seps folder under the wallet root directory?
ReplyDelete