Exporting a Keystore from ASM to a Target Host for Oracle TDE Provisioning ( KBA8286 )
KBA
KBA# 8286Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1
5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
How to Export a Keystore from ASM to a Target Host for TDE provisioning
As discussed in Delphix Documentation - Provisioning a VDB from an Encrypted Oracle Database, if a source VDB is encrypted, then the keystore will need to copied to and autologin keystore enabled on the target host before provisioning will succeed. If the source keystore is on ASM, then simply copying the wallet from ASM is not viable. The following error will be encountered when attempting to access the wallet with orapki as orapki will interpret the wallet as corrupt.
orapki wallet create -wallet /tmp/wallet -auto_login -pwd mypassword123 Oracle PKI Tool Release 19.0.0.0.0 - Production Version 19.3.0.0.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.Got tag 3 instead of 16. PKI-02003: Unable to load the wallet at: /tmp/wallet
To resolve this the wallet needs to be correctly exported from ASM.
This document only covers non-mutlitenant databases.
Prerequisites
It is expected that the source database already has a keystore configured and has encrypted tables, however the steps for configuring this are provided below as an example only. These steps should only be performed in a lab environment or after consultation with your DBA team or Oracle.
- Configure sqlnet.ora, this must be done on all nodes in the case of RAC.
[oracle@mw19rac1 trace]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=+DATA/DBOMSRE7B249)))
- Verify Oracle is detecting the correct ENCRYPTION_WALLET_LOCATION using sqlplus.
SQL> select WRL_PARAMETER,STATUS from v$encryption_wallet; WRL_PARAMETER STATUS ----------------------------- ------------------------------ +DATA/DBOMSRE7B249/ CLOSED
- Create the keystore using sqlplus.
SQL> ADMINISTER KEY MANAGEMENT create keystore '+DATA/DBOMSRE7B249' identified by abc123;
- Open the keystore and verify its status using sqlplus.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY abc123; keystore altered. SQL> select WRL_PARAMETER,STATUS from v$encryption_wallet; WRL_PARAMETER STATUS ------------------------------- ------------------------------ +DATA/DBOMSRE7B249/ OPEN_NO_MASTER_KEY
- Set the key using sqlplus.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY abc123 WITH BACKUP; SQL> select WRL_PARAMETER,STATUS from v$encryption_wallet; WRL_PARAMETER STATUS ------------------------------ ------------------------------ +DATA/DBOMSRE7B249/ OPEN
A backup will now be created in the keystore location, along with the existing keystore.
ASMCMD> ls ewallet* ewallet.p12 ewallet_2021102504065896.p12
- Now that the keystore and key are configured, TDE tablespaces can be created.
create tablespace tde encryption using 'AES256' default storage(encrypt); alter user dlpxdbora quota unlimited on tde; create table dlpxdbora.test ( id number, name varchar2(255)) tablespace tde; SQL> insert into dlpxdbora.test values ( 1, 'encrypted'); 1 row created. SQL> commit; Commit complete.
- With the tablespace encrypted, the database can now be linked to Delphix or a new snapshot taken to capture the encrypted tablespace.
To complete exporting a keystore to target host
Once a source database contains the encryption keystore on ASM, this will need to be exported and copied to the target provisioning host.
- Create an empty keystore on source filesystem to merge source keys into using sqlplus
This will not change the source keystore in any way.
SQL> !mkdir /tmp/wallet SQL> administer key management create keystore '/tmp/wallet' identified by welcome123; keystore altered. SQL> !ls /tmp/wallet ewallet.p12 SQL>
- Merge the source keystore on ASM into the file based keystore on disk using sqlplus
SQL> administer key management merge keystore '+DATA/DBOMSRE7B249' identified by abc123 into existing keystore '/tmp/wallet' identified by welcome123 with backup; keystore altered. SQL> !ls /tmp/wallet ewallet.p12 ewallet_2021102504203973.p12
The orapki tool can be used to inspect the new keystore.
[oracle@mw19rac1 trace]$ orapki wallet display -wallet /tmp/wallet Oracle PKI Tool Release 19.0.0.0.0 - Production Version 19.4.0.0.0 Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Requested Certificates: Subject: CN=oracle User Certificates: Oracle Secret Store entries: ORACLE.SECURITY.DB.ENCRYPTION.AWmSDN32h08ovyehfgfV73IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY ORACLE.SECURITY.ID.ENCRYPTION. ORACLE.SECURITY.KB.ENCRYPTION. ORACLE.SECURITY.KM.ENCRYPTION.AWmSDN32h08ovyehfgfV73IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Trusted Certificates: [oracle@mw19rac1 trace]$
- Copy the file based keystore to the target host. In this example it is copied to a temporary location, however it could be copied directly to the final destination show later in this document.
[oracle@mw19rac1 wallet]$ scp /tmp/wallet/ewallet.p12 oracle@tde-tgt.dcol2.delphix.com:/tmp/wallet oracle@tde-tgt.dcol2.delphix.com's password: ewallet.p12 100% 3995 470.0KB/s 00:00 [oracle@mw19rac1 wallet]$
At this point, no further action is required on the source host/database. All further steps are performed on the target host.
- Create a minimum init file to allow an instance to be started to manage the keystore.
cat $ORACLE_HOME/dbs/initTDE.ora db_name=TDE [oracle@tde-tgt dbs]$ export ORACLE_SID=TDE
- Set the wallet to auto login.
The ".sso" file indicates that the keystore is autologin.
[oracle@tde-tgt dbs]$ sqlplus "/as sysdba" SQL*Plus: Release 19.0.0.0.0 - Production on Mon Oct 25 01:11:01 2021 Version 19.11.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Connected to an idle instance. SQL> startup nomount; ORACLE instance started. Total System Global Area 268434272 bytes Fixed Size 8895328 bytes Variable Size 201326592 bytes Database Buffers 50331648 bytes Redo Buffers 7880704 bytes SQL> ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '/tmp/wallet' identified by welcome123; keystore altered. SQL> shutdown abort; ORACLE instance shut down. SQL> [oracle@tde-tgt dbs]$ ls -la /tmp/wallet/ total 8 drwxr-xr-x. 2 oracle oinstall 44 Oct 25 01:11 . drwxrwxrwt. 11 root root 245 Oct 25 01:06 .. -rw-------. 1 oracle oinstall 4040 Oct 25 01:11 cwallet.sso -rw-------. 1 oracle oinstall 3995 Oct 25 01:06 ewallet.p12
- Configure $ORACLE_HOME/network/admin/sqlnet.ora on target host.
The DIRECTORY should using the $ORACLE_SID replacement variable to allow multiple VDBs to use the same sqlnet.ora file.
[oracle@tde-tgt oracle]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/wallet/$ORACLE_SID)))
- Copy the created wallet/sso file to the target wallet location. in this case, we will be provisioning a VDB called "MYVDB".
This step will need to be performed before provisioning for any VDB being provisioned to this host.
[oracle@tde-tgt oracle]$ mkdir -p /u01/app/oracle/wallet/MYVDB [oracle@tde-tgt oracle]$ cp /tmp/wallet/* /u01/app/oracle/wallet/MYVDB [oracle@tde-tgt oracle]$ ls -la /u01/app/oracle/wallet/MYVDB total 8 drwxr-xr-x. 2 oracle oinstall 44 Oct 25 01:17 . drwxr-xr-x. 3 oracle oinstall 19 Oct 25 01:17 .. -rw-------. 1 oracle oinstall 4040 Oct 25 01:17 cwallet.sso -rw-------. 1 oracle oinstall 3995 Oct 25 01:17 ewallet.p12 [oracle@tde-tgt oracle]$
Provisioning should now be successful. Once the provision is complete, you can confirm by logging into the target VDB and checking v$encryption_wallet and v$encryption_key.
Which should be as follows..
QL> select WRL_PARAMETER,status,wallet_type from v$encryption_wallet; WRL_PARAMETER STATUS WALLET_TYPE ------------------------------ ------------------------------ -------------------- /u01/app/oracle/wallet/MYVDB/ OPEN LOCAL_AUTOLOGIN SQL> SQL> select key_id from v$encryption_keys; KEY_ID ------------------------------------------------------------------------------ AWmSDN32h08ovyehfgfV73IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The key_id shown here should match the key_id from the source database.
Related Articles
The following articles may provide more information or related information to this article: