Configuring Oracle Transparent Data Encryption (TDE)
on Oracle 12c multitenant architecture
To configure TDE on Oracle 12c multitenant architecture we need to execute some steps in order to
be able to create encrypted tablespaces on Oracle, for example.
1) Adjust the sqlnet.ora file to refer your wallet path
[oracle@db1 admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/CDB1)
)
)
2) Create the folder on OS side
[oracle@db1 admin]$ mkdir -p /u01/app/oracle/CDB1
3) Log into database using the role syskm, create the keystore and the auto login keystore
[oracle@db1 admin]$ sqlplus / as syskm
SQL*Plus: Release 12.1.0.2.0 Production on Tue Jul 30 13:42:13 2019
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> administer key management create keystore '/u01/app/oracle/CDB1' identified by oracle;
keystore altered.
SQL>
SQL>
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/oracle/CDB1' IDENTIFIED BY oracle;
keystore altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
------------ --------------------------------- ---------------------- -------------- ----------------------- -----------
FILE /u01/app/oracle/CDB1/ OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNDEFINED 0
4) Bounce the database to see if AUTO_LOGIN keystore is working correctly
SQL> connect / as sysdba
Connected.
SQL> shut immediate;
Database closed.
Database dismounted.
startup
ORACLE instance shut down.
SQL> ORACLE instance started.
Total System Global Area 1660944384 bytes
Fixed Size 2925072 bytes
Variable Size 1040190960 bytes
Database Buffers 603979776 bytes
Redo Buffers 13848576 bytes
Database mounted.
Database opened.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
------------ --------------------------------- ---------------------- -------------- ----------------------- -----------
FILE /u01/app/oracle/CDB1/ OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNDEFINED 0
Obs.: The first time, you need to set the masterkey to avoid this status and errors with the key not open properly.
SQL> alter pluggable database all open;
Pluggable database altered.
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB2 READ WRITE NO
4 PD3 READ WRITE NO
5) Let’s setup the masterkey on the keystore
SQL> conn / as sysdba
Connected.
SQL> grant dba,syskm to C##dba identified by oracle container=ALL;
Grant succeeded.
SQL> administer key management set keystore close container=all;
keystore altered.
SQL> administer key management set keystore open identified by oracle container=all;
keystore altered.
6) On pluggable database, connected with common user C##DBA, let’s set the key for all pdbs.
SQL> conn c##dba/oracle@db1:1521/PD3 as syskm;
Connected.
SQL>
SQL> conn / as sysdba
Connected.
SQL> administer key management set key identified by oracle with backup using 'OMK' container=ALL;
keystore altered.
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
------------ --------------------------------- ---------------------- -------------- ----------------------- -----------
FILE /u01/app/oracle/CDB1/ OPEN PASSWORD SINGLE NO 0
As you can see above, now the status is OPEN (by password)
7) Connected on PD3 as common user C##DBA and now we can create our tablespace
SQL> conn c##dba/oracle@db1:1521/PD3;
Connected.
SQL> create tablespace OCM_CRYP
2 datafile '/u01/app/oracle/oradata/CDB1/8DE664DD797442E9E055000000000001/datafile/OCM.DBF'
3 size 10m
4 encryption using 'AES256'
5 default storage(ENCRYPT);
Tablespace created.
So, this is the new way for 12c to management keys for encryption on database.
I hope this helps you!!!
This article was written by Andre Ontalba e Rodrigo Mufalani
Disclaimer: “The postings on this site are my own and don’t necessarily represent may actual employer positions, strategies or opinions. The information here was edited to be useful for general purpose, specific data and identifications was removed to allow reach generic audience and to be useful.”