How To Migrate Existing TDE Wallet To Oracle Key Vault For A 12c Oracle RAC Database
This post details the steps needed to be performed to migrate an existing TDE wallet for a RAC database to an OKV server. The variables ORACLE_SID, ORACLE_HOME and OKV_HOME must be set in oracle processes environment and srvctl environment.
1. Setup the RAC nodes as endpoints in OKV using the oracle documentation and deploy okvclient.jar on each node:
$ java -jar okvclient.jar -d /home/oracle/okvclient -v
Detected JAVA_HOME: /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45.x86_64/jre
Enter new Key Vault endpoint password (<enter> for auto-login):
Confirm new Key Vault endpoint password:
Oracle Key Vault endpoint software installed successfully.
$</enter>
2. As Key Vault administrator create an endpoint group rac12nc and add the rac endpoints to the endpoint group.
3. Still logged as Key Vault administrator create a wallet rac12nc_wallet and grant the Read, Write, Manage Wallet privileges to the endpoint group rac12nc for this wallet.
4. Upload the local wallet to OKV:
$ ./okvutil upload -l /home/oracle/tde/rac12nc/wallet/ -g rac12nc_wallet -v 2 -t wallet
okvutil version 12.2.0.1.0
Endpoint type: Oracle Database
Configuration file: /home/oracle/okvclient/conf/okvclient.ora
Server: 10.64.151.18:5696
Standby Servers:
Uploading from /home/oracle/tde/rac12nc/wallet
Enter source wallet password:
Enter Oracle Key Vault endpoint password:
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.ABCABCABCABCABCABCABCABCcAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.ABCABCABCABCABCABCABCABCcAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Uploaded 1 TDE keys
Uploaded 0 SEPS entries
Uploaded 0 other secrets
Uploaded 3 opaque objects
Uploading private persona
Uploading certificate request
Uploading trust points
Uploaded 1 private keys
Uploaded 1 certificate requests
Uploaded 0 user certificates
Uploaded 0 trust points
Upload succeeded
5. Edit sqlnet.ora and modify the ENCRYPTION_WALLET_LOCATION parameter to point towards both OKV and the local wallet( this has to be done on all nodes):
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM)(METHOD_DATA=(DIRECTORY=/home/oracle/tde/rac12nc/wallet)))
6. Remove the cwallet.sso file and close the wallet:
$ cd /home/oracle/tde/rac12nc/wallet/
$ mv cwallet.sso cwallet.sso.bak
SQL> administer key management set keystore close identified by [wallet_password];
keystore altered.
7. Open the wallet and perform the migration on one node:
SQL> administer key management set keystore open identified by [endpoint_password];
keystore altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /home/oracle/tde/rac12nc/wallet/ OPEN PASSWORD SECONDARY YES 0
HSM OPEN_NO_MASTERKEY HSM PRIMARY UNDEFINED 0
SQL> administer key management set encryption key identified by <endpoint_password> migrate using <wallet_password> with backup;
keystore altered.</wallet_password></endpoint_password>
8. After the keys are migrated from the local software wallet to OKV a new master key will be generated in OKV. This new key is going to be created outside of the ‘virtual’ wallet defined earlier in OKV(i.e. It will be available in ‘All Items’ section. This new key will be accessible only to the node/endpoint that generated it so one has to login as the OKV Administrator and move the newly generated key into the ‘virtual’ wallet. For this navigate to Keys & Wallets -> All items -> add the newly generated master key to the virtual wallet rac12nc_wallet.
9. Enable the auto_login wallet using the steps from below post:
10. Restart the database and check if wallet is automatically open:
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE /home/oracle/tde/rac12nc/wallet/ OPEN PASSWORD SECONDARY YES 0
HSM OPEN HSM PRIMARY UNDEFINED 0