Objective: Migration of a file based TDE key to oracle online TDE key based on Oracle Key vault.
The setup involves setting up the virtual wallet, endpoint group, end point, managing access ,permissions, migration of the wallet.
Step 1) Login to web console
Step 2) as OKV admin, create a virtual wallet
Web console as key vault admin -> Keys & wallets -> create -> name (make unique, description, wallet type and wallet content in case you already have some contents & you have access as well) -> click save
Virtual wallet name: RDBMS_ORACLE_vcentos79-oracle-ggtgt_GGSRC04T
Step 3) as OKV admin create an endpoint group
endpoint group name: endptgrp_ggsrc04t_okv01 (okv01 was added by okv itself, since I selected make it unique)
web console as keyvault admin -> endpoint -> endpoint group -> create -> enter the name of the group
Step 4) as OKV admin grant read and modify, manage permission for endpoint group to virtual wallet
web console as keyvault admin -> endpoint -> endpoint group -> edit -> access to wallet -> add -> virtual wallet selected -> access level (read or read and modify or manage) -> save
Step 5) as system admin Register endpoint
endpoint name: endpt_vcentos79-oracle-ggtgt_ggsrc04t | 192.168.194.11
Web console login as system admin -> Endpoints -> Add -> enter the details requested, remember for TDE, choose oracle database as type ->register
Step 6) as OKV admin Add endpoints to the endpoint group
web console as keyvault admin -> endpoint groups -> edit -> endpoint group members -> add -> select endpoint groups to which they need to be added -> save -> save the changes to endpoint groups
Step 7) as system admin Set default wallet to the virtual wallet we created for the endpoint
web console login as key admin -> endpoint -> select endpoint -> default wallet -> choose wallet -> select -> save
Step 8) Enroll endpoint as endpoint admin using one time token
Token: aWOvrvpvGdvKJXzh
System admin -> enrollment token shared to endpoint admin
endpoint admin -> logs into the endpoint system -> access the okv web console -> click on endpoint enrollment & software download button -> enter the token -> click validate -> other fields will be auto populated -> click enroll and follow prompts to download store the okvclient.jar in a secure location.
login to the endpoint server as endpoint admin -> navigate to the directory where okvclient.jar is kept -> designate okv_home and ensure it is empty -> run the java command shared below -> it will prompt for password [impacts okvutil and administer key management], you can just enter to avoid password; this will enable auto login -> install finishes -> launch <OKV_HOME>/bin/root.sh as root validate [/opt/oracle/extapi/64/hsm/oracle/1.0.0] -> verify softlink existance ls -l $ORACLE_BASE/okv/$ORACLE_SID/okvclient.ora -> launch <okv_home>/bin/okvutil list
cd /home/oracle/dba/OKV_Bin
export OKV_HOME=/u01/app/oracle/okv
java -jar okvclient.jar -d /u01/app/oracle/okv -v
Actual output from the commands in putty:
Step 9: Migrate the TDE key to oracle key vault:
Prereqs (if 19c):
Introduce 19c setting for tde key
a. copy the tde keys over to tde folder under wallet directory:
b. set wallet_Root param:
alter system set wallet_root='/u01/app/oracle/admin/GGTGT04T/wallet' scope=spfile;
Note: don't set the path until '/tde' oracle automatically picks 'tde' directory
Step-4: Restart the database Instance
Step-5: set the tde_configuration parameter
alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;
Note: tde_configuration parameter need to set after restart of Instances, otherwise oracle will not allow to change the parameter.
Step-6: Validate
show parameter wallet_root
show parameter tde_configuration
select * from v$encryption_wallet;
Actual output:
Actual migration steps:
Step 9) Migrate the TDE key to oracle key vault
1. backup the candidate db impacted by the wallet file
2. complete the enrollment of the endpoint
3. Upload the local wallet file using okvutil
$ OKV_HOME/bin/okvutil upload -t WALLET -l /path/to/tde-wallet -g name_of_wallet_in_Oracle_Key_Vault -v 4
$OKV_HOME/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/GGTGT04T/wallet/tde -g RDBMS_ORACLE_vcentos79-oracle-ggtgt_GGSRC04T -v 4
Actual output:
4. For 19c, set the following param
ALTER SYSTEM SET TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=OKV|FILE" SCOPE = BOTH;
Actual output:
6. Close and reconnect in 19c db
7. run below query to verify if the method data from sqlnet.ora is reflecting... (wallet_type)
SELECT CON_ID, WALLET_TYPE, WALLET_ORDER, STATUS
FROM V$ENCRYPTION_WALLET
WHERE CON_ID <> 2;
Ensure to create a softlink to okv, if okv directory doesn’t exist in ${WALLET_ROOT}.
If not we may face ORA-028353
8. For 12c and +; run the below command to complete the migration [NULL here, since we will prefer autologin]
wallet password: oracle
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "NULL" MIGRATE USING "oracle" WITH BACKUP;
9. For 12c and +; run the below command to open the key vault
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
IDENTIFIED BY “NULL”;
10. After you complete the migration, if you are using an auto-login wallet, then re-enable it by renaming the cwallet.sso.bak file to cwallet.sso.
Actual output as a fixup routine:
After fixup:
Step 10) Delete the local key and try access the encrypted content
In the last stop itself we deleted the file based key vault.
Thanks
No comments:
Post a Comment