support/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
notes/tiddlywiki/Transparent Data Encryption (TDE) setup.txt
Valeriu PLESNILA 26296b6d6a 2026-03-12 21:01:38
2026-03-12 22:01:38 +01:00

234 lines
9.2 KiB
Plaintext
Executable File
Raw Permalink Blame History

--
create pluggable database VORAS admin user VORAS_ADM identified by VORAS_ADM;
alter pluggable database VORAS open instances=ALL;
alter pluggable database VORAS save state instances=ALL;
Step 1: Configure the Wallet Root
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ create directory for storing TDE WALLET
~~ in a RAC configuration, this directory can be on a shared file system or manually copied from install node to all other nodes
mkdir -p /app/base/admin/HUTTPRD/wallet/tde
CDB$ROOT> alter system set WALLET_ROOT="/app/base/admin/HUTTPRD/wallet" scope=spfile sid='*';
srvctl stop database -d HUTTPRD
srvctl start database -d HUTTPRD
alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both sid='*';
Step 2: Create the password protected key store
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CDB$ROOT> administer key management create keystore '/app/base/admin/HUTTPRD/wallet/tde' identified by secret;
~~ previous command will create the file ewallet.p12
ls -l /app/base/admin/HUTTPRD/wallet/tde/ewallet.p12
set lines 300
column WRL_PARAMETER format a40
select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID,INST_ID from gv$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS CON_ID INST_ID
-------------------- ---------------------------------------- ------------------------------ ---------- ----------
FILE /app/base/admin/HUTTPRD/wallet/tde/ NOT_AVAILABLE 1 2
FILE NOT_AVAILABLE 2 2
FILE NOT_AVAILABLE 3 2
FILE /app/base/admin/HUTTPRD/wallet/tde/ CLOSED 1 1
FILE CLOSED 2 1
FILE CLOSED 3 1
~~ we have status NOT_AVAILABLE for 2nd instance because the wallet has not been yet copied to 2nd
Step 3: Open the key store CDB & PDB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
administer key management set keystore open force keystore identified by secret container = all;
set lines 300
column WRL_PARAMETER format a40
select WRL_TYPE, WRL_PARAMETER, STATUS, CON_ID,INST_ID from gv$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS CON_ID INST_ID
-------------------- ---------------------------------------- ------------------------------ ---------- ----------
FILE /app/base/admin/HUTTPRD/wallet/tde/ OPEN_NO_MASTER_KEY 1 1
FILE OPEN_NO_MASTER_KEY 2 1
FILE OPEN_NO_MASTER_KEY 3 1
FILE /app/base/admin/HUTTPRD/wallet/tde/ NOT_AVAILABLE 1 2
FILE NOT_AVAILABLE 2 2
FILE NOT_AVAILABLE 3 2
Step 4.1: Create the master key for the container database
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
administer key management set key identified by secret with backup;
set lines 300
column WRL_PARAMETER format a40
column NAME format a10
select
a.INST_ID, b.NAME, a.STATUS, a.WRL_TYPE, a.WRL_PARAMETER
from
gv$encryption_wallet a, gv$pdbs b
where
a.con_id = b.con_id (+)
order by
a.INST_ID, b.NAME, a.STATUS
;
INST_ID NAME STATUS WRL_TYPE WRL_PARAMETER
---------- ---------- ------------------------------ -------------------- ----------------------------------------
1 PDB$SEED OPEN FILE
1 PDB$SEED OPEN FILE
1 VORAS OPEN_NO_MASTER_KEY FILE
1 VORAS OPEN_NO_MASTER_KEY FILE
1 OPEN FILE /app/base/admin/HUTTPRD/wallet/tde/
2 PDB$SEED NOT_AVAILABLE FILE
2 PDB$SEED NOT_AVAILABLE FILE
2 VORAS NOT_AVAILABLE FILE
2 VORAS NOT_AVAILABLE FILE
2 NOT_AVAILABLE FILE /app/base/admin/HUTTPRD/wallet/tde/
Step 4.2: Create the master key for PDB (unified mode)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
alter session set container=VORAS;
administer key management set key identified by secret with backup;
set lines 300
column WRL_PARAMETER format a40
column NAME format a10
select
a.INST_ID, b.NAME, a.STATUS, a.WRL_TYPE, a.WRL_PARAMETER
from
gv$encryption_wallet a, gv$pdbs b
where
a.con_id = b.con_id (+)
order by
a.INST_ID, b.NAME, a.STATUS
;
INST_ID NAME STATUS WRL_TYPE WRL_PARAMETER
---------- ---------- ------------------------------ -------------------- ----------------------------------------
1 PDB$SEED OPEN FILE
1 PDB$SEED OPEN FILE
1 VORAS OPEN FILE
1 VORAS OPEN FILE
1 OPEN FILE /app/base/admin/HUTTPRD/wallet/tde/
2 PDB$SEED NOT_AVAILABLE FILE
2 PDB$SEED NOT_AVAILABLE FILE
2 VORAS NOT_AVAILABLE FILE
2 VORAS NOT_AVAILABLE FILE
2 NOT_AVAILABLE FILE /app/base/admin/HUTTPRD/wallet/tde/
Step 5: Create an autologin keystorefor the CDB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
administer key management create auto_login keystore from keystore '/app/base/admin/HUTTPRD/wallet/tde' identified by secret;
ls -ltr /app/base/admin/HUTTPRD/wallet/tde
total 24
-rw-------. 1 oracle asmadmin 2555 Apr 12 17:52 ewallet_2020041215523610.p12
-rw-------. 1 oracle asmadmin 3995 Apr 12 22:26 ewallet_2020041220264943.p12
-rw-------. 1 oracle asmadmin 5467 Apr 12 22:26 ewallet.p12
-rw-------. 1 oracle asmadmin 5512 Apr 12 22:35 cwallet.sso
-- cwallet.sso has been created
-- copy security files to ALL RAC nodes
cd /app/base/admin/HUTTPRD/wallet/tde
scp -rp * vortex-db02:/app/base/admin/HUTTPRD/wallet/tde
set lines 300
column WRL_PARAMETER format a40
column NAME format a10
select
a.INST_ID, b.NAME, a.STATUS, a.WRL_TYPE, a.WRL_PARAMETER
from
gv$encryption_wallet a, gv$pdbs b
where
a.con_id = b.con_id (+)
order by
a.INST_ID, b.NAME, a.STATUS
;
INST_ID NAME STATUS WRL_TYPE WRL_PARAMETER
---------- ---------- ------------------------------ -------------------- ----------------------------------------
1 PDB$SEED OPEN FILE
1 PDB$SEED OPEN FILE
1 VORAS OPEN FILE
1 VORAS OPEN FILE
1 OPEN FILE /app/base/admin/HUTTPRD/wallet/tde/
2 PDB$SEED OPEN FILE
2 PDB$SEED OPEN FILE
2 VORAS OPEN FILE
2 VORAS OPEN FILE
2 OPEN FILE /app/base/admin/H
Step 6.1: Encrypt tablespaces online (CDB)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CDB$ROOT> select TABLESPACE_NAME, STATUS, ENCRYPTED from DBA_TABLESPACES;
TABLESPACE_NAME STATUS ENC
------------------------------ --------- ---
SYSTEM ONLINE NO
SYSAUX ONLINE NO
UNDOTBS1 ONLINE NO
TEMP ONLINE NO
UNDOTBS2 ONLINE NO
USERS ONLINE NO
CDB$ROOT> alter tablespace USERS encryption online encrypt;
CDB$ROOT> alter tablespace SYSTEM encryption online encrypt;
CDB$ROOT> select TABLESPACE_NAME, STATUS, ENCRYPTED from DBA_TABLESPACES;
TABLESPACE_NAME STATUS ENC
------------------------------ --------- ---
SYSTEM ONLINE YES
SYSAUX ONLINE NO
UNDOTBS1 ONLINE NO
TEMP ONLINE NO
UNDOTBS2 ONLINE NO
USERS ONLINE YES
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;
Manually OPEN/CLOSE keystore
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SYSKM@HUTTPRD1:CDB$ROOT> administer key management set keystore open force keystore identified by secret container = all;
keystore altered.
SYSKM@HUTTPRD1:CDB$ROOT> administer key management set keystore close identified by secret;
keystore altered.
Reference in New Issue View Git Blame Copy Permalink