Configure TDE wallet on RAC

To configure Oracle TDE (Transparent Data Encryption) wallet on a RAC, you need to do a few things to ensure that each database has its own wallet independent of each other.  Here are the steps that I completed in order to configure this:

1.  Set the environment variable ORACLE_UNQNAME on the OS in the .bash_profile. (In my case, it was Linux as this was 11.2.0.3 RAC on Linux).  This env variable should be set to the database unique name (not instance name).

Please note: this needs to be configured in a way in each time the environment is sourced (. oraenv), the ORACLE_UNQNAME env variable will also be re-sourced.

export ORACLE_UNQNAME=`$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}`

2. Set the environment variable also via srvctl.

srvctl setenv database -d RAC-HR -T "ORACLE_UNQNAME=RAC-HR"

3.  Create wallet directory.

mkdir /u01/app/oracle/admin/${ORACLE_UNQNAME}/wallet

4. Configure sqlnet.ora as follows (example):

ENCRYPTION_WALLET_LOCATION =
  (SOURCE = (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY=/u01/app/oracle/admin/$ORACLE_UNQNAME/wallet)))

4.  Create the wallet.

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<password>";

5. Open wallet (if not already open).

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<password>";

6. To configure auto login for wallet (optional), do the following:
orapki wallet create -wallet <wallet_location> -auto_login

7.  Change permissions on directory and files.  If you're not using a shared filesystem to locate the wallet(s), you'll need to complete the following on all applicable nodes in the RAC after you have copied the wallet files to exact same location across all nodes.


cd /u01/app/oracle/admin/$ORACLE_UNQNAME/
chmod 700 wallet
cd wallet
chmod 600 ewallet.p12

8.  After initially creating the encryption wallet (and optionally a (local) auto-open wallet), navigate 
to the directory that stores the Oracle Wallet and set the ‘immutable’ bit with:

# chattr +i ewallet.p12
# chattr +i cwallet.sso

Any attempt to delete the wallet (by root or any other user) fails; re-key operations that write to 
the wallets will fail as well, so for re-key operations, the ‘immutable’ bit must be unset:

# chattr -i ewallet.p12
# chattr -i cwallet.sso

8.  Please review the TDE Best practices at the following link:

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf 

Comments

Anonymous said…
this is for one node...it is always recommended to install oracle wallet on shared storage acfs.

if this wallet is not installed on shared storage location, then copy the wallet to the same location in other node and reopen the wallet.
January 8, 2014 at 12:04 AM
neowebwallet said…
would You Explain some more feature For E- Wallet encryption and Security For neowebwallet
November 22, 2017 at 5:27 AM
Post a Comment

Popular posts from this blog

RMAN-10038: database session for channel prm3 terminated unexpectedly

Problem: I had an issue where I was trying to build a 1.7 TB Data Guard environment and kept receiving the highlighted error below.  I thought it was some type of fluke so I restarted the job 2 more times only to receive the same error. Fix: After researching the issue, I found it was because the sqlnet.ora needed to be configured correctly.  I added the entry " SQLNET.EXPIRE_TIME = 10 " to the sqlnet.ora on both the source and the target database servers under the RDBMS $ORACLE_HOME/network/admin.  Upon restarting the RMAN active database standby build, it was able to move past this error and built successfully. Starting backup at 07-MAY-17 channel prm1: starting datafile copy input datafile file number=00003 name=+DATA/testdb/datafile/undotbs1.262.940412881 channel prm2: starting datafile copy input datafile file number=00129 name=+DATA/testdb/datafile/welldoc1.390.940509955 channel prm3: starting datafile copy input datafile file number=00130 name=+DATA/test
Read more

ORA-17630: Mismatch in the remote file protocol version client 2 server 3

I was trying to create an Oracle Data Guard environment (physical standby) from an Oracle database running version 12.1.0.2. The database was running an older PSU version ("Database Patch Set Update : 12.1.0.2.161018 (24006101)") to be specific. Upon trying to build the standby by using RMAN DUPLICATE with ACTIVE DATABASE, I ran into the below error: executing Memory Script Starting backup at 16-JUL-18 RMAN-03009: failure of backup command on prm1 channel at 07/16/2018 13:51:46 ORA-17629: Cannot connect to the remote database server ORA-17630: Mismatch in the remote file protocol version client 2 server 3 continuing other job steps, job failed will not be re-run released channel: prm1 released channel: prm2 released channel: prm3 released channel: prm4 released channel: prm5 released channel: stb1 RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: ====================
Read more

ORA-00338: log {n} of thread {n} is more recent than control file

I received the following error in a primary database's alert log that I was supporting recently.   ORA-00312: online log 5 thread 1: '+DATA/db_name/onlinelog/group_5.297.846947859' ORA-00338: log 5 of thread 1 is more recent than control file The database has a DataGuard environment as well and below are the steps that I took to resolve the issue. 1.  First, I checked the status of the redo logs and their current sizes and status. SQL> select group#,bytes/1024/1024,status from v$log;     GROUP# BYTES/1024/1024 STATUS ---------- --------------- ----------------          1              50 INACTIVE          2              50 INACTIVE          3              50 INACTIVE          4             250 INACTIVE          5             250 INACTIVE          6             250 CURRENT 2.  As you can see, groups 1, 2, 3 have 50 MB redo log group sizes while group 4, 5, 6 are 250 MB redo log group sizes.  This is something that I highly suspect was/is the issue.  So I
Read more