Configure TDE wallet on RAC
To configure Oracle TDE (Transparent Data Encryption) wallet on a RAC, you need to do a few things to ensure that each database has its own wallet independent of each other. Here are the steps that I completed in order to configure this:
1. Set the environment variable ORACLE_UNQNAME on the OS in the .bash_profile. (In my case, it was Linux as this was 11.2.0.3 RAC on Linux). This env variable should be set to the database unique name (not instance name).
Please note: this needs to be configured in a way in each time the environment is sourced (. oraenv), the ORACLE_UNQNAME env variable will also be re-sourced.
export ORACLE_UNQNAME=`$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}`
2. Set the environment variable also via srvctl.
srvctl setenv database -d RAC-HR -T "ORACLE_UNQNAME=RAC-HR"
3. Create wallet directory.
mkdir /u01/app/oracle/admin/${ORACLE_UNQNAME}/wallet
mkdir /u01/app/oracle/admin/${ORACLE_UNQNAME}/wallet
4. Configure sqlnet.ora as follows (example):
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY=/u01/app/oracle/admin/$ORACLE_UNQNAME/wallet)))
4. Create the wallet.
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<password>";
5. Open wallet (if not already open).
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<password>";
6. To configure auto login for wallet (optional), do the following:
orapki wallet create -wallet <wallet_location> -auto_login
7. Change permissions on directory and files. If you're not using a shared filesystem to locate the wallet(s), you'll need to complete the following on all applicable nodes in the RAC after you have copied the wallet files to exact same location across all nodes.
cd /u01/app/oracle/admin/$ORACLE_UNQNAME/
chmod 700 wallet
cd wallet
chmod 600 ewallet.p12
8. After initially creating the encryption wallet (and optionally a (local) auto-open wallet), navigate
to the directory that stores the Oracle Wallet and set the ‘immutable’ bit with:
# chattr +i ewallet.p12
# chattr +i cwallet.sso
Any attempt to delete the wallet (by root or any other user) fails; re-key operations that write to
the wallets will fail as well, so for re-key operations, the ‘immutable’ bit must be unset:
# chattr -i ewallet.p12
# chattr -i cwallet.sso
8. Please review the TDE Best practices at the following link:
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
Comments
if this wallet is not installed on shared storage location, then copy the wallet to the same location in other node and reopen the wallet.