Oracle

Instructions are provided to configure UKCClosedUnbound Key Control - The name of Unbound's key management product. for an existing Oracle database.

More information about Oracle databases can be found here:

http://www.oracle.com

More information about using encryption on Oracle databases can be found here:

https://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm

Prerequisites

You need the following prerequisites for integration with UKCClosedUnbound Key Control - The name of Unbound's key management product.:

Set up GnuTLS

UKCClosedUnbound Key Control - The name of Unbound's key management product. uses GnuTLS for secure communication between the client and the server. GnuTLS can be downloaded from https://www.gnutls.org.

To implement this capability, on the client machine:

  • Install the libgnutls library (version 2.8 and later).
    • If you are running Red Hat Enterprise Linux version 6.7, you need to update GnuTLS:

      sudo yum update gnutls

    • If you are running a Red Hat Enterprise Linux version newer than 6.7, no update is needed.
  • Add use_gnutls=1 to the /etc/ekm/client.conf file.

Tip
To check the installed GnuTLS version, run gnutls-cli --version.

UKC Integration with Oracle

Once you have an Oracle database running, use the following process to configure UKCClosedUnbound Key Control - The name of Unbound's key management product. encryption.

  1. Create the Unbound directory.

    mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0

  2. Copy the PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.

    cp /usr/lib64/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/

  3. Update the permissions.

    sudo chown -R oracle:oinstall /opt/oracle/extapi/
    sudo chmod -R 775 /opt/oracle/extapi/

  4. The ENCRYPTION_WALLET_LOCATION parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCClosedUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.

    1. Edit the profile configuration file.

      $ORACLE_HOME/network/admin/sqlnet.ora

    2. Add ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing)) to sqlnet.ora.
  5. If the user's password was never reset, change the password:

    ucl user reset-pwd -p orcl --name user

  6. Log into the database.

    sqlplus / as sysdba

  7. To create a new master key and begin using transparent data encryption, issue the following command. Note that for these examples, you need to replace the password with the correct value.

    ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<UKC User Password>";

  8. Check that the new AES key created.

    ucl list

    Response:

    Partition 0 orcl: 1 object found

    Secret AES key : UID=aac95c6b931e9cc2
    Description="ORACLE.TDE.HSM.MK.06A2D65A54A1654F90BF713007439BAD7E"
    Name="0x00aac95c6b931e9cc2"

  9. The master encryption key remains accessible to the database until the database instance is shut down. To load the master encryption key after the database is restarted, use the following command.

    ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<UKC User Password>";

  10. To create a new table with encrypted columns, use the CREATE TABLE command in the following form. The keyword ENCRYPT specifies that the column is encrypted.

    CREATE TABLE <table_name> ( <column_name> <column_type> ENCRYPT,....);

  11. If an existing table has columns that require encryption, then use the ALTER TABLE command in the following form.

    ALTER TABLE <table_name> MODIFY ( <column_name> <column_type> ENCRYPT,...);

  12. To disable access to all encrypted columns in the database, use:

    ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "<UKC User Password>";

Oracle Wallet Migration

Use this method if your Oracle database is already encrypted with a software-based wallet and you now want to encrypt with UKCClosedUnbound Key Control - The name of Unbound's key management product..

See this link for more information.

  1. If the user's password was never reset, change the password:

    ucl user reset-pwd -p orcl --name user

  2. Create the Unbound directory.

    mkdir /opt/oracle/extapi/64/hsm/unbound/2.0.0

  3. Copy the PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library into the Unbound directory.

    cp /usr/lib64/libekmpkcs11.so /opt/oracle/extapi/64/hsm/unbound/2.0.0/

  4. Update the permissions.

    sudo chown -R oracle:oinstall /opt/oracle/extapi/
    sudo chmod -R 775 /opt/oracle/extapi/

  5. Log into the database.

    sqlplus / as sysdba

  6. Convert the software keystore to open with the hardware keystore. To set the software keystore password as that of the hardware keystore, use the following syntax:

    ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
    FORCE KEYSTORE
    IDENTIFIED BY software_keystore_password
    SET "user_id:password" WITH BACKUP
    [USING 'backup_identifier'];

    Parameters:

  7. To create an auto-login keystore for a software keystore, use the following syntax:

    ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE
    FROM KEYSTORE 'keystore_location'
    IDENTIFIED BY software_keystore_password;

  8. Configure sqlnet.ora for the migration of the password-based software keystore.
  9. The ENCRYPTION_WALLET_LOCATION parameter in the profile configuration file specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that UKCClosedUnbound Key Control - The name of Unbound's key management product. is to be used in place of the standard software wallet.

    1. Edit the profile configuration file.

      2. $ORACLE_HOME/network/admin/sqlnet.ora

    2. Add the following line to sqlnet.ora:
      ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing)(METHOD_DATA=(DIRECTORY=wallet_location)))
  10. Show the status of the encryption wallets. It should show that both the software wallet and UKCClosedUnbound Key Control - The name of Unbound's key management product. (as "HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") are open.

    select wrl_type, status from v$ENCRYPTION_WALLET;

    Response:

    WRL_TYPE STATUS
    ------------------------------
    FILE OPEN
    HSM OPEN

  11. Perform the hardware keystore migration. Use the following syntax when you run the ADMINISTER KEY MANAGEMENT SQL statement for migration:

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
    IDENTIFIED BY "user_id:password"
    MIGRATE USING software_keystore_password
    [WITH BACKUP [USING 'backup_identifier']];

  12. Update the following line in the file sqlnet.ora:

    13. ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))

  13. Log out of the SQL Plus database utility and then log back in.

    14. Logout sqlplus
    Log in sqlplus

  14. Close and open the wallet.
  15. Check the wallet status. You should see that only UKCClosedUnbound Key Control - The name of Unbound's key management product. (as "HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing") is open, indicating that the migration is complete.

    16. select wrl_type, status from v$ENCRYPTION_WALLET;

    Response:

    WRL_TYPE STATUS
    -------------------- ------------------------------
    FILE NOT_AVAILABLE
    HSM OPEN

  16. To see that the process succeeded, read data that was encrypted by the software wallet with a key that now exists in UKCClosedUnbound Key Control - The name of Unbound's key management product..

    17. select * from ERGEMP.T_ENCRYPTED;