Oracle Database

Instructions are provided to configure UKCUnbound Key Control - The name of Unbound's key management product. for an existing Oracle database.

More information about Oracle databases can be found here:

http://www.oracle.com

More information about using encryption on Oracle databases can be found here:

https://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm

Prerequisites

You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:

Set up GnuTLS

UKCUnbound Key Control - The name of Unbound's key management product. uses GnuTLS for secure communication between the client and server. GnuTLS can be downloaded from https://www.gnutls.org.

To implement this capability, on the client machine:

  • Install the libgnutls library (version 28 and later).
    • If you are running Red Hat Enterprise Linux version 6.7, you need to update GnuTLS:

      sudo yum update gnutls

    • If you are running a Red Hat Enterprise Linux version newer than 6.7, no update is needed.
  • Add use_gnutls=1 to the /etc/ekm/client.conf file.

UKC Integration with Oracle

Once you have an Oracle database running, use the following process to configure UKCUnbound Key Control - The name of Unbound's key management product. encryption.

  1. Create the Unbound directory.

    mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0

  2. Copy the PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.

    cp /usr/lib64/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/

  3. The ENCRYPTION_WALLET_LOCATION parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.
    1. Copy the sample profile configuration file to the admin folder.

      cp /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/samples/sqlnet.ora /u01/app/oracle/product/12.1.0/dbhome_1/network/admin

    2. Add ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing)) to /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
  4. Create a password for User user if it does not exist (User must have password). This command prompts you to enter the password.

    ucl user reset-pwd -p orcl --name user

  5. Log into the database.

    sqlplus / as sysdba

  6. To create a new master key and begin using transparent data encryption, issue the following command. Note that for these examples, you need to replace password with the correct value.

    ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password";

  7. Check that new AES key created.

    ucl list

  8. The master encryption key remains accessible to the database until the database instance is shutdown. To load the master encryption key after the database is restarted, use the following command.

    ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password";

  9. To create a new table with encrypted columns, use the CREATE TABLE command in the following form. The keyword ENCRYPT specifies that the column is encrypted.

    CREATE TABLE <table_name> ( <column_name> <column_type> ENCRYPT,....);

  10. If an existing table has columns that require encryption, then use the ALTER TABLE command in the following form.

    ALTER TABLE <table_name> MODIFY ( <column_name> <column_type> ENCRYPT,...);

  11. To disable access to all encrypted columns in the database, use:

    ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password";

Oracle Wallet Migration

Use this method if your Oracle database is already encrypted with a software-based wallet and you now want to encrypt with UKCUnbound Key Control - The name of Unbound's key management product..

See this link for more information.

  1. Create the Unbound directory.

    mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0

  2. Copy the PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.

    cp /usr/lib64/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/

  3. The ENCRYPTION_WALLET_LOCATION parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.
    1. Copy the sample profile configuration file to the admin folder.

      cp /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/samples/sqlnet.ora /u01/app/oracle/product/12.1.0/dbhome_1/network/admin

    2. Add the following line to to /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora:
      ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing)(METHOD_DATA=(DIRECTORY=wallet_location)))
  4. Create a password for User user if it does not exist (User must have password). This command prompts you to enter the password.

    ucl user reset-pwd -p orcl --name user

  5. Log into the database.

    sqlplus / as sysdba

  6. Run the following SQL command:
  7. ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<Oracle Wallet Password>" MIGRATE USING "<UKC User Password>";

    Running this command creates a new key created in UKCUnbound Key Control - The name of Unbound's key management product..

  8. Show the status of the encryption wallets. It should show that both the software wallet and UKCUnbound Key Control - The name of Unbound's key management product. (as "HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") are open.
  9. select wrl_type, status from v$ENCRYPTION_WALLET;

    Response:

    WRL_TYPE STATUS
    ------------------------------
    FILE OPEN
    HSM OPEN

  10. Update the following line in the file sqlnet.ora:
  11. ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

  12. Log out of the SQL Plus database utility and then log back in.
  13. Logout sqlplus
    Log in sqlplus

  14. Close and open the wallet.
  15. Check the wallet status. You should see that only UKCUnbound Key Control - The name of Unbound's key management product. (as "HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") is open, indicating that the migration is complete.
  16. select wrl_type, status from v$ENCRYPTION_WALLET;

    Response:

    WRL_TYPE STATUS
    -------------------- ------------------------------
    FILE NOT_AVAILABLE
    HSM OPEN

  17. To see that the process succeeded, read data that was encrypted by the software wallet with a key that now exists in UKCUnbound Key Control - The name of Unbound's key management product..

  18. select * from ERGEMP.T_ENCRYPTED;