Oracle

Instructions are provided to configure UKCUnbound Key Control - The name of Unbound's key management product. for an existing Oracle database.

More information about Oracle databases can be found here:

http://www.oracle.com

More information about using encryption on Oracle databases can be found here:

https://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm

Prerequisites

You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:

• Oracle version 10g and newer. The integration instructions are provided for 18cXE, 12c release 2, and 19c (19.3).

• Requires Oracle Advanced Security.

• UKCUnbound Key Control - The name of Unbound's key management product. must be configured to use GnuTLS.
• UKCUnbound Key Control - The name of Unbound's key management product. it is recommended to have an auxiliary server.
• The server running the Oracle database must have a version of GnuTLS that matches the GnuTLS version on the UKCUnbound Key Control - The name of Unbound's key management product. servers.

Set up GnuTLS

UKCUnbound Key Control - The name of Unbound's key management product. uses GnuTLS for secure communication between the client and the server. GnuTLS can be downloaded from https://www.gnutls.org.

To implement this capability, on the client machine:

• Install the libgnutls library (version 2.8 and later).
  • If you are running Red Hat Enterprise Linux version 6.7, you need to update GnuTLS:

    sudo yum update gnutls

  • If you are running a Red Hat Enterprise Linux version newer than 6.7, no update is needed.
• Add use_gnutls=1 to the /etc/ekm/client.conf file.

Tip
To check the installed GnuTLS version, run gnutls-cli --version.

UKC Integration with Oracle

Once you have an Oracle database running, use the following process to configure UKCUnbound Key Control - The name of Unbound's key management product. encryption.

1. Create the Unbound directory.

   mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0

2. Link the PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.

   ln -fs /<path to libekmpkcs11>/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/

   For the platform-dependent location of the libekmpkcs11.so, refer to Path to PKCS#11 Library.

3. Update the permissions.

   sudo chown -R oracle:oinstall /opt/oracle/extapi/
   sudo chmod -R 775 /opt/oracle/extapi/

4. The ENCRYPTION_WALLET_LOCATION parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.

   1. Edit the profile configuration file.

      $ORACLE_HOME/network/admin/sqlnet.ora

   2. Add ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing)) to sqlnet.ora.
5. If the user's password was never reset, change the password:

   ucl user reset-pwd -p orcl --name user

6. Log into the database.

   sqlplus / as sysdba

7. To create a new master key and begin using transparent data encryption, issue the following command. Note that for these examples, you need to replace the password with the correct value.

   ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<UKC User Password>";

8. Check that the new AES key created.

   ucl list

   Response:

   Partition 0 orcl: 1 object found
   
   Secret AES key : UID=aac95c6b931e9cc2
   Description="ORACLE.TDE.HSM.MK.06A2D65A54A1654F90BF713007439BAD7E"
   Name="0x00aac95c6b931e9cc2"

9. The master encryption key remains accessible to the database until the database instance is shut down. To load the master encryption key after the database is restarted, use the following command.

   ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<UKC User Password>";

10. To create a new table with encrypted columns, use the CREATE TABLE command in the following form. The keyword ENCRYPT specifies that the column is encrypted.

    CREATE TABLE <table_name> ( <column_name> <column_type> ENCRYPT,....);

11. If an existing table has columns that require encryption, then use the ALTER TABLE command in the following form.

    ALTER TABLE <table_name> MODIFY ( <column_name> <column_type> ENCRYPT,...);

12. To disable access to all encrypted columns in the database, use:

    ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "<UKC User Password>";

Oracle Wallet Migration

Use this method if your Oracle database is already encrypted with a software-based wallet and you now want to encrypt with UKCUnbound Key Control - The name of Unbound's key management product..

See this link for more information.

1. If the user's password was never reset, change the password:

   ucl user reset-pwd -p orcl --name user

2. Create the Unbound directory.

   mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0

3. Link the PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.

   ln -fs /<path to libekmpkcs11>/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/

   For the platform-dependent location of the libekmpkcs11.so, refer to Path to PKCS#11 Library.

4. Update the permissions.

   sudo chown -R oracle:oinstall /opt/oracle/extapi/
   sudo chmod -R 775 /opt/oracle/extapi/

5. Log into the database.

   sqlplus / as sysdba

6. Convert the software keystore to open with the hardware keystore. To set the software keystore password as that of the hardware keystore, use the following syntax:

   ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
   FORCE KEYSTORE
   IDENTIFIED BY software_keystore_password
   SET "user_id:password" WITH BACKUP
   [USING 'backup_identifier'];

   Parameters:

   • software_keystore_password - the same password that you used when creating the software keystore.
   • user_id:password - the new software keystore password which is the same as the password of the HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.

7. To create an auto-login keystore for a software keystore, use the following syntax:

   ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE
   FROM KEYSTORE 'keystore_location'
   IDENTIFIED BY software_keystore_password;

8. Configure sqlnet.ora for the migration of the password-based software keystore.
9. The ENCRYPTION_WALLET_LOCATION parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.

   1. Edit the profile configuration file.

   $ORACLE_HOME/network/admin/sqlnet.ora

   2. Add the following line to sqlnet.ora:
      ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing)(METHOD_DATA=(DIRECTORY=wallet_location)))
10. Show the status of the encryption wallets. It should show that both the software wallet and UKCUnbound Key Control - The name of Unbound's key management product. (as "HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") are open.

    select wrl_type, status from v$ENCRYPTION_WALLET;

    Response:

    WRL_TYPE STATUS
    ------------------------------
    FILE OPEN
    HSM OPEN

11. Perform the hardware keystore migration. Use the following syntax when you run the ADMINISTER KEY MANAGEMENT SQL statement for migration:

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
    IDENTIFIED BY "user_id:password"
    MIGRATE USING software_keystore_password
    [WITH BACKUP [USING 'backup_identifier']];

12. Update the following line in the file sqlnet.ora:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

13. Log out of the SQL Plus database utility and then log back in.

Logout sqlplus
Log in sqlplus

14. Close and open the wallet.
15. Check the wallet status. You should see that only UKCUnbound Key Control - The name of Unbound's key management product. (as "HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") is open, indicating that the migration is complete.

select wrl_type, status from v$ENCRYPTION_WALLET;

Response:

WRL_TYPE STATUS
-------------------- ------------------------------
FILE NOT_AVAILABLE
HSM OPEN

16. To see that the process succeeded, read data that was encrypted by the software wallet with a key that now exists in UKCUnbound Key Control - The name of Unbound's key management product..

select * from ERGEMP.T_ENCRYPTED;