Oracle
Instructions are provided to configure UKCUnbound Key Control - The name of Unbound's key management product. for an existing Oracle database.
More information about Oracle databases can be found here:
More information about using encryption on Oracle databases can be found here:
https://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm
Prerequisites
You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:
- Oracle version 10g and newer. The integration instructions are provided for 18cXE, 12c release 2, and 19c (19.3).
-
Requires Oracle Advanced Security.
- UKC
Unbound Key Control - The name of Unbound's key management product. must be configured to use GnuTLS.
- UKC
Unbound Key Control - The name of Unbound's key management product. it is recommended to have an auxiliary server.
- The server running the Oracle database must have a version of GnuTLS that matches the GnuTLS version on the UKC
Unbound Key Control - The name of Unbound's key management product. servers.
Set up GnuTLS
UKCUnbound Key Control - The name of Unbound's key management product. uses GnuTLS for secure communication between the client and the server. GnuTLS can be downloaded from https://www.gnutls.org.
To implement this capability, on the client machine:
- Install the
libgnutls
library (version 2.8 and later).- If you are running Red Hat Enterprise Linux version 6.7, you need to update GnuTLS:
sudo yum update gnutls
- If you are running a Red Hat Enterprise Linux version newer than 6.7, no update is needed.
- If you are running Red Hat Enterprise Linux version 6.7, you need to update GnuTLS:
- Add
use_gnutls=1
to the /etc/ekm/client.conf file.
Tip
To check the installed GnuTLS version, run gnutls-cli --version
.
UKC Integration with Oracle
Once you have an Oracle database running, use the following process to configure UKCUnbound Key Control - The name of Unbound's key management product. encryption.
- Create the Unbound directory.
mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0
- Link the PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.
ln -fs /<path to libekmpkcs11>/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/
For the platform-dependent location of the
libekmpkcs11.so
, refer to Path to PKCS#11 Library. -
Update the permissions.
sudo chown -R oracle:oinstall /opt/oracle/extapi/
sudo chmod -R 775 /opt/oracle/extapi/ - The
ENCRYPTION_WALLET_LOCATION
parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.
Edit the profile configuration file.
$ORACLE_HOME/network/admin/sqlnet.ora
- Add
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM
to sqlnet.ora.Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing))
- If the
user
's password was never reset, change the password:ucl user reset-pwd -p orcl --name user
- Log into the database.
sqlplus / as sysdba
- To create a new master key and begin using transparent data encryption, issue the following command.
Note that for these examples, you need to replace the
password
with the correct value.ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<UKC User Password>";
- Check that the new AES key created.
ucl list
Response:
Partition 0 orcl: 1 object found
Secret AES key : UID=aac95c6b931e9cc2
Description="ORACLE.TDE.HSM.MK.06A2D65A54A1654F90BF713007439BAD7E"
Name="0x00aac95c6b931e9cc2" - The master encryption key remains accessible to the database until the database instance is shut down. To load the master encryption key after the database is restarted, use the following command.
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<UKC User Password>";
-
To create a new table with encrypted columns, use the
CREATE TABLE
command in the following form. The keywordENCRYPT
specifies that the column is encrypted.CREATE TABLE <table_name> ( <column_name> <column_type> ENCRYPT,....);
-
If an existing table has columns that require encryption, then use the
ALTER TABLE
command in the following form.ALTER TABLE <table_name> MODIFY ( <column_name> <column_type> ENCRYPT,...);
- To disable access to all encrypted columns in the database, use:
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "<UKC User Password>";
Oracle Wallet Migration
Use this method if your Oracle database is already encrypted with a software-based wallet and you now want to encrypt with UKCUnbound Key Control - The name of Unbound's key management product..
See this link for more information.
-
If the
user
's password was never reset, change the password:ucl user reset-pwd -p orcl --name user
- Create the Unbound directory.
mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0
- Link the PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.
ln -fs /<path to libekmpkcs11>/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/
For the platform-dependent location of the
libekmpkcs11.so
, refer to Path to PKCS#11 Library. -
Update the permissions.
sudo chown -R oracle:oinstall /opt/oracle/extapi/
sudo chmod -R 775 /opt/oracle/extapi/ -
Log into the database.
sqlplus / as sysdba
-
Convert the software keystore to open with the hardware keystore. To set the software keystore password as that of the hardware keystore, use the following syntax:
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
FORCE KEYSTORE
IDENTIFIED BY software_keystore_password
SET "user_id:password" WITH BACKUP
[USING 'backup_identifier'];Parameters:
- software_keystore_password - the same password that you used when creating the software keystore.
- user_id:password - the new software keystore password which is the same as the password of the HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.
-
To create an auto-login keystore for a software keystore, use the following syntax:
ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE
FROM KEYSTORE 'keystore_location'
IDENTIFIED BY software_keystore_password; - Configure sqlnet.ora for the migration of the password-based software keystore.
- The
ENCRYPTION_WALLET_LOCATION
parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.
Edit the profile configuration file.
- Add the following line to sqlnet.ora:
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing)(METHOD_DATA=(DIRECTORY=wallet_location)))
$ORACLE_HOME/network/admin/sqlnet.ora
-
Show the status of the encryption wallets. It should show that both the software wallet and UKC
Unbound Key Control - The name of Unbound's key management product. (as "HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") are open.
select wrl_type, status from v$ENCRYPTION_WALLET;
Response:
WRL_TYPE STATUS
------------------------------
FILE OPEN
HSM OPEN -
Perform the hardware keystore migration. Use the following syntax when you run the ADMINISTER KEY MANAGEMENT SQL statement for migration:
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
IDENTIFIED BY "user_id:password"
MIGRATE USING software_keystore_password
[WITH BACKUP [USING 'backup_identifier']]; - Update the following line in the file sqlnet.ora:
- Log out of the SQL Plus database utility and then log back in.
- Close and open the wallet.
- Check the wallet status. You should see that only UKC
Unbound Key Control - The name of Unbound's key management product. (as "HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") is open, indicating that the migration is complete.
-
To see that the process succeeded, read data that was encrypted by the software wallet with a key that now exists in UKC
Unbound Key Control - The name of Unbound's key management product..
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
Logout sqlplus
Log in sqlplus
select wrl_type, status from v$ENCRYPTION_WALLET;
Response:
WRL_TYPE STATUS
-------------------- ------------------------------
FILE NOT_AVAILABLE
HSM OPEN
select * from ERGEMP.T_ENCRYPTED;