Performing Oracle Transparent Data Encryption Master Key Rotation in Delphix Virtual Databases (KBA6398)
KBA
KBA# 6398Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1 5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
4.3
4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0
4.2
4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1
4.1
4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0
How to Task
Oracle Transparent Data Encryption (TDE) Master Keys may need to be rotated or different keys provided between the dSource and virtual database due to the security policies for your site. This article looks to address this requirement and provide one possible process for rotating and changing the TDE master key in a virtual database.
Prerequisites
The process detailed here requires the following:
- An Oracle database with Transparent Data Encryption (TDE) enabled and this database having been ingested by the Delphix Engine as a dSource.
- A correctly configured and enabled Oracle Wallet that is responsible for holding the keystore used by Oracle TDE.
- A target host with an Oracle Home in place conforming to all of the pre-requisites set out in the Delphix documentation for Oracle Target hosts.
Overview of the process
- Establish Transparent Data Encryption in the Oracle source database.
- Link the source database to Delphix as a dSource.
- Configure the target host environment and Oracle Wallet in preparation for provisioning a TDE enabled virtual database.
- Provision the virtual database.
- Rotate the Transparent Data Encrytion Master Key in the Virtual Database.
To Complete Oracle TDE Master Key Rotation
Complete the following procedure to provision a new virtual database from a TDE enabled dSource and rotate the TDE Master Key in the Oracle Virtual Database. This ensures the source database and virtual database have different master keys.
Establish a Wallet and enable Transparent Data Encryption (TDE) in the dSource database
Enable a wallet location for the database through setting the sqlnet.ora directive WALLET_LOCATION
-
Backup the existing $ORACLE_HOME/network/admin/sqlnet.ora used by the dSource; typically located in its Oracle Home.
[oracle@oel7si1 admin]$ cp sqlnet.ora sqlnet.ora.cdb122
- Edit the sqlnet.ora and enable a wallet location. This will be used by the dSource database to locate the wallet and associated keys required for utilizing Transparent Data Encryption (TDE).
[oracle@oel7si1 admin]$ vi sqlnet.ora [oracle@oel7si1 admin]$ cat $ORACLE_HOME/network/admin/sqlnet.ora # sqlnet.ora Network Configuration File: /u01/app/oracle/product/12.2.0/dbhome_1/network/admin/sqlnet.ora # Generated by Oracle configuration tools. NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SQLNET.ALLOWED_LOGON_VERSION_SERVER=11 ADR_BASE = /u01/app/oracle SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCP, TCPS) SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION = FALSE SSL_CIPHER_SUITES = (TLS_RSA_WITH_AES_128_GCM_SHA256) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/dbwallet/$ORACLE_SID) ) )
Important: The indenting and formatting of the wallet_location directive is important. If the format is incorrect, the wallet may fail to ve used by the database.
- Shutdown and restart the dSource database so that it picks up the new sqlnet.ora and wallet location.
[oracle@oel7si1 admin]$ sqlplus / as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Thu Aug 27 16:45:57 2020 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> startup ORACLE instance started. Total System Global Area 1258291200 bytes Fixed Size 8620224 bytes Variable Size 452986688 bytes Database Buffers 788529152 bytes Redo Buffers 8155136 bytes Database mounted. Database opened. SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID ---------------------------------------- ------------- ----------- --------- --------- ------ FILE /u01/app/oracle/dbwallet/tde1/ NOT_AVAILABLE UNKNOWN SINGLE UNDEFINED 0 SQL> exit Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
Note: The wallet will initially show as not available as it has not been created yet.
Establish the Oracle Wallet
- Create a location for the wallet that aligns with the sqlnet.ora wallet_location directive.
[oracle@oel7si1 admin]$ mkdir -p /u01/app/oracle/dbwallet/tde1/
- Create the Oracle wallet/keystore.
[oracle@oel7si1 admin]$ sqlplus / as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Thu Aug 27 16:48:07 2020 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/dbwallet/tde1/' identified by keystore123; keystore altered.
- Open the wallet for the first time.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY keystore123; keystore altered.
- Check and ensure the Oracle database has opened the wallet.
SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID ----------- ------------------------------- -------------------- ----------- --------- --------- ------ FILE /u01/app/oracle/dbwallet/tde1/ OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED 0
- Set the wallet master key.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY keystore123 with backup; keystore altered.
- Check the state of the wallet, now with the master key in place.
SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID ----------- ------------------------------- -------- ----------- --------- --------- ------ FILE /u01/app/oracle/dbwallet/tde1/ OPEN PASSWORD SINGLE NO 0
- Enable autologin for the wallet/keystore so the database can automatically open it at startup.
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/oracle/dbwallet/tde1/' identified by keystore123; keystore altered.
- Enabling autologin will place the cwallet.sso file in the wallet location and enable the database to automatically open the wallet as it starts.
SQL> ! ls -l /u01/app/oracle/dbwallet/tde1/ total 12 -rw-------. 1 oracle oinstall 3891 Aug 27 16:55 cwallet.sso -rw-------. 1 oracle oinstall 2408 Aug 27 16:54 ewallet_2020082706542273.p12 -rw-------. 1 oracle oinstall 3848 Aug 27 16:54 ewallet.p12
- Restarting the database will test that autologin has been correctly established for the database when the wallet is interrogated from within the database itself.
SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> startup ORACLE instance started. Total System Global Area 1258291200 bytes Fixed Size 8620224 bytes Variable Size 452986688 bytes Database Buffers 788529152 bytes Redo Buffers 8155136 bytes Database mounted. Database opened. SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID ----------- ------------------------------- -------- ----------- --------- --------- ------ FILE /u01/app/oracle/dbwallet/tde1/ OPEN AUTOLOGIN SINGLE NO 0
- Establish an encrypted tablespace within the database with Transparent Data Encryption enabled.
[oracle@oel7si1 admin]$ sqlplus / as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Thu Aug 27 16:59:58 2020 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production SQL> CREATE TABLESPACE ENCRYPTTEST datafile size 10M ENCRYPTION USING 'AES256' DEFAULT STORAGE(ENCRYPT); Tablespace created.
- Create a table in this encrypted tablespace and add some data for testing.
SQL> connect / as sysdba Connected. SQL> grant create table to delphix; SQL> connect delphix/delphix Connected. SQL> create table tblencrypt (id number(10) encrypt) tablespace encrypttest; Table created. SQL> connect / as sysdba Connected. SQL> grant unlimited tablespace to delphix; Grant succeeded. SQL> connect delphix/delphix Connected. SQL> insert into tblencrypt values(1); 1 row created. SQL> insert into tblencrypt values(2); 1 row created. SQL> insert into tblencrypt values(3); 1 row created. SQL> commit; Commit complete.
Link the dSource Database
- Link the TDE enabled dSource using the Delphix GUI.
Configure the Target Environment Oracle Wallet in Preparation for Provisioning a VDB
- Configure the VDB target host sqlnet.ora.
[oracle@oel7si2 admin]$ cat sqlnet.ora # sqlnet.ora Network Configuration File: /u01/app/oracle/product/12.2.0/dbhome_1/network/admin/sqlnet.ora # Generated by Oracle configuration tools. NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SQLNET.ALLOWED_LOGON_VERSION_SERVER=11 ADR_BASE = /u01/app/oracleSQLNET.AUTHENTICATION_SERVICES= (BEQ, TCP, TCPS) SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION = FALSE SSL_CIPHER_SUITES = (TLS_RSA_WITH_AES_128_GCM_SHA256) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/vdbwallet/$ORACLE_SID) ) )
- Create the wallet directory for the VDB using a directory name that aligns with the ORACLE_SID/Instance name of the VDB about to be created.
- This ORACLE_SID value is used to map the sqlnet.ora DIRECTORY directive used in locating each VDB's wallet.
[oracle@oel7si2 admin]$ mkdir -p /u01/app/oracle/vdbwallet/vtde1
- Copy the wallet from the source to the target.
[oracle@oel7si2 admin]$ scp oel7si1:/u01/app/oracle/dbwallet/tde1/* /u01/app/oracle/vdbwallet/vtde1/ oracle@oel7si1's password: cwallet.sso 100% 3891 3.8KB/s 00:00 ewallet_2020082706542273.p12 100% 2408 2.4KB/s 00:00 ewallet.p12
Provision the VDB
- Provision the VDB using the Delphix Administration GUI, naming it, in this case vtde1, ensuring its ORACLE_SID/Instance name (vtde1) aligns with the file system folder of that same name on the destination host.
- The VDB is seen running post provision.
[oracle@oel7si2 provision]$ ps -ef | grep pmon oracle 20276 1 0 19:34 ? 00:00:00 ora_pmon_vtde1
- Set the environment for the VDB so that sqlplus can be used to log in to it.
[oracle@oel7si2 provision]$ set | grep ORA OLD_ORACLE_BASE= ORABASE_EXEC=/u01/app/oracle/product/12.2.0/dbhome_1/bin/orabase ORACLE_BASE=/u01/app/oracle ORACLE_HOME=/u01/app/oracle/product/12.2.0/dbhome_1 ORACLE_SID=cdb122 ORAHOME=/u01/app/oracle/product/12.2.0/dbhome_1 ORASID=oracle [oracle@oel7si2 provision]$ export ORACLE_SID=vtde1 [oracle@oel7si2 provision]$ sqlplus / as sysdba SQL> select db_unique_name,open_mode,database_role from v$database; DB_UNIQUE_NAME OPEN_MODE DATABASE_ROLE --------------- -------------------- ---------------- vtde1 READ WRITE PRIMARY
- The wallet must be seen as open in the VDB.
SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID ------------ ----------------------------------- --------- --------------- ------------- ------------- ------- FILE /u01/app/oracle/vdbwallet/vtde1/ OPEN AUTOLOGIN SINGLE NO 0
- Querying the encrypted data must be successfully performed in the VDB when TDE is correctly configured.
SQL> select * from TBLENCRYPT; ID ---------- 1 2 3
Perform the Oracle Database TDE Master Key Rotation
Make sure the wallet is open before attempting the master key rotation.
SQL> select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID ------------ ----------------------------------- --------- --------------- ------------- ------------- ------- FILE /u01/app/oracle/vdbwallet/vtde1/ OPEN AUTOLOGIN SINGLE NO 0
- If autologin is enabled, ensure both the autologin keystore, identified by the .sso file, and the encryption keystore, identified by the .p12 file, are present in the wallet location.
SQL> ! ls -l /u01/app/oracle/vdbwallet/vtde1/ total 12 -rw-------. 1 oracle oinstall 3891 Aug 27 19:08 cwallet.sso -rw-------. 1 oracle oinstall 2408 Aug 27 19:08 ewallet_2020082706542273.p12 -rw-------. 1 oracle oinstall 3848 Aug 27 19:08 ewallet.p12
- Display the contents of the wallet to obtain the current key details.
[oracle@oel7si2 provision]$ orapki wallet display -wallet /u01/app/oracle/vdbwallet/vtde1/ -pwd keystore123 Oracle PKI Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Requested Certificates: Subject: CN=oracle User Certificates: Oracle Secret Store entries: ORACLE.SECURITY.DB.ENCRYPTION.ARt9JJwGC08AvzNja03PcaMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY ORACLE.SECURITY.ID.ENCRYPTION. ORACLE.SECURITY.KB.ENCRYPTION. ORACLE.SECURITY.KM.ENCRYPTION.ARt9JJwGC08AvzNja03PcaMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Trusted Certificates:
- Perform the key master key rotation using the administer key command.
[oracle@oel7si2 ]$ sqlplus / as sysdba SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY FORCE KEYSTORE IDENTIFIED BY keystore123 WITH BACKUP; keystore altered.
- Display the contents of the wallet; the new key details will be seen (in this case key AVZzNf+M709ivwGxCrfsf0oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA).
[oracle@oel7si2 provision]$ orapki wallet display -wallet /u01/app/oracle/vdbwallet/vtde1/ -pwd keystore123 Oracle PKI Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Requested Certificates: Subject: CN=oracle User Certificates: Oracle Secret Store entries: ORACLE.SECURITY.DB.ENCRYPTION.ARt9JJwGC08AvzNja03PcaMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.AVZzNf+M709ivwGxCrfsf0oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY ORACLE.SECURITY.ID.ENCRYPTION. ORACLE.SECURITY.KB.ENCRYPTION. ORACLE.SECURITY.KM.ENCRYPTION.ARt9JJwGC08AvzNja03PcaMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KM.ENCRYPTION.AVZzNf+M709ivwGxCrfsf0oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Trusted Certificates:
- The master key is seen altered inside the database and a new creation time appears.
SQL> select KEY_ID,KEY_USE,CREATOR_DBNAME, CREATION_TIME from V$ENCRYPTION_KEYS order by creation_time; KEY_ID KEY_USE CREATOR_DBNAME CREATION_TIME ------------------------------------------------------------ ---------- --------------- ------------------------------------- ARt9JJwGC08AvzNja03PcaMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA TDE tde1 27/AUG/20 06:54:22.771516 AM +00:00 AVZzNf+M709ivwGxCrfsf0oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA TDE vtde1 27/AUG/20 10:03:28.605733 AM +00:00
- Confirm the key changes are active after a database restart.
SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> startup ORACLE instance started. Total System Global Area 1258291200 bytes Fixed Size 8620224 bytes Variable Size 335546176 bytes Database Buffers 905969664 bytes Redo Buffers 8155136 bytes Database mounted. Database opened. SQL> select KEY_ID,KEY_USE,CREATOR_DBNAME, CREATION_TIME from V$ENCRYPTION_KEYS order by creation_time; KEY_ID KEY_USE CREATOR_DBNAME CREATION_TIME ------------------------------------------------------------ ---------- --------------- ------------------------------------- ARt9JJwGC08AvzNja03PcaMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA TDE tde1 27/AUG/20 06:54:22.771516 AM +00:00 AVZzNf+M709ivwGxCrfsf0oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA TDE vtde1 27/AUG/20 10:03:28.605733 AM +00:00
- Ensure the encrypted data can be accessed in the VDB after the key rotation has occurred.
SQL> connect delphix/delphix Connected. SQL> select * from TBLENCRYPT; ID ---------- 1 2 3
The master key rotation is now complete.
Related Articles
The following articles may provide more information or related information to this article: