Requirement:
To set up TDE for an eight node RAC database. DB version 11.2.0.2.0. Below given are the steps I used.
Steps:
1. Create directory structure for wallet (Steps done as root user)
Oracle recommends placing the Oracle Wallet outside of the $ORACLE_BASE directory tree to avoid accidentally storing the wallet with the encrypted data on a backup tape. So we are going to store the wallet files under /etc as shown below. In my case database name is ORCL.
a. [root@node01 etc]# mkdir -pv ORACLE/WALLETS/ORCL
b. [root@node01 etc]# chown -R oracle:oinstall ORACLE
c. [root@node01 etc]# chmod -R 700 ORACLE
2. Configure sqlnet.ora file in first node (Step done as oracle user).
Edit sqlnet.ora and add following entry.
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY=/etc/ORACLE/WALLETS/ORCL)))
3. Create the wallet.
The following SQL command will initialize the wallet and add master encryption key. This creates a file by name ewallet.p12 under Wallet directory
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<WalletPwd>";
System altered.
[oracle@node01 ORCL]$ pwd
/etc/ORACLE/WALLETS/ORCL
[oracle@node01 ORCL]$ ls -ltr
total 4
-rw-r--r-- 1 oracle dba 1573 Oct 10 22:34 ewallet.p12
The wallet would be already open. Else you can use the SQL command to open it.
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<WalletPwd>";
4. Reduce permission on wallet file to 600
[oracle@node01 ORCL]$ chmod 600 ewallet.p12
[oracle@node01 ORCL]$ ls -ltr
total 4
-rw------- 1 oracle dba 1573 Oct 10 22:34 ewallet.p12
5. Enable Autologin. This will create cwallet.sso file in Wallet directory
orapki wallet create -wallet /etc/ORACLE/WALLETS/ORCL -auto_login
6. Make Wallet Immutable: So that even root cant delete it. Execute this as root user
Set the immutable but with chattr +i command as show below.
[root@node01 ORCL]$ ls -ltr
total 8
-rw------- 1 oracle dba 1573 Oct 10 22:34 ewallet.p12
-rw------- 1 oracle oinstall 1651 Oct 10 22:39 cwallet.sso
[root@node01 ORCL]$ chattr +i ewallet.p12
[root@node01 ORCL]$ chattr +i cwallet.sso
7. Copy Wallet and sqlnet.ora to all the nodes of the RAC maintaining same directory structure and permissions.
Once TDE is enabled on the first instance, the wallet and the local sqlnet.ora file need to be copied to all other instances and manually opened for the master key to be loaded into each instance’s memory. Use a tool like "scp" to copy wallet files and sqlnet.ora to all nodes
8. Open wallet in all nodes
Wallet should be manually opened in all nodes so that master key gets loaded in to each of the instances' memory.
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<WalletPwd>";
System altered.
The TDE is now configured and ready to use.
Note:
Wallets must be reopened after an instance restart and can be closed again to prevent access to encrypted columns.
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<WalletPwd>";
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;
To reverse immutability use -i option
chattr -i ewallet.p12
chattr -i cwallet.sso
To set up TDE for an eight node RAC database. DB version 11.2.0.2.0. Below given are the steps I used.
Steps:
1. Create directory structure for wallet (Steps done as root user)
Oracle recommends placing the Oracle Wallet outside of the $ORACLE_BASE directory tree to avoid accidentally storing the wallet with the encrypted data on a backup tape. So we are going to store the wallet files under /etc as shown below. In my case database name is ORCL.
a. [root@node01 etc]# mkdir -pv ORACLE/WALLETS/ORCL
b. [root@node01 etc]# chown -R oracle:oinstall ORACLE
c. [root@node01 etc]# chmod -R 700 ORACLE
2. Configure sqlnet.ora file in first node (Step done as oracle user).
Edit sqlnet.ora and add following entry.
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA =
(DIRECTORY=/etc/ORACLE/WALLETS/ORCL)))
3. Create the wallet.
The following SQL command will initialize the wallet and add master encryption key. This creates a file by name ewallet.p12 under Wallet directory
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "<WalletPwd>";
System altered.
[oracle@node01 ORCL]$ pwd
/etc/ORACLE/WALLETS/ORCL
[oracle@node01 ORCL]$ ls -ltr
total 4
-rw-r--r-- 1 oracle dba 1573 Oct 10 22:34 ewallet.p12
The wallet would be already open. Else you can use the SQL command to open it.
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<WalletPwd>";
4. Reduce permission on wallet file to 600
[oracle@node01 ORCL]$ chmod 600 ewallet.p12
[oracle@node01 ORCL]$ ls -ltr
total 4
-rw------- 1 oracle dba 1573 Oct 10 22:34 ewallet.p12
5. Enable Autologin. This will create cwallet.sso file in Wallet directory
orapki wallet create -wallet /etc/ORACLE/WALLETS/ORCL -auto_login
6. Make Wallet Immutable: So that even root cant delete it. Execute this as root user
Set the immutable but with chattr +i command as show below.
[root@node01 ORCL]$ ls -ltr
total 8
-rw------- 1 oracle dba 1573 Oct 10 22:34 ewallet.p12
-rw------- 1 oracle oinstall 1651 Oct 10 22:39 cwallet.sso
[root@node01 ORCL]$ chattr +i ewallet.p12
[root@node01 ORCL]$ chattr +i cwallet.sso
7. Copy Wallet and sqlnet.ora to all the nodes of the RAC maintaining same directory structure and permissions.
Once TDE is enabled on the first instance, the wallet and the local sqlnet.ora file need to be copied to all other instances and manually opened for the master key to be loaded into each instance’s memory. Use a tool like "scp" to copy wallet files and sqlnet.ora to all nodes
8. Open wallet in all nodes
Wallet should be manually opened in all nodes so that master key gets loaded in to each of the instances' memory.
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<WalletPwd>";
System altered.
The TDE is now configured and ready to use.
Note:
Wallets must be reopened after an instance restart and can be closed again to prevent access to encrypted columns.
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "<WalletPwd>";
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE;
To reverse immutability use -i option
chattr -i ewallet.p12
chattr -i cwallet.sso
No comments:
Post a Comment