Objective: Migration of a file based TDE key to oracle online TDE key based on Oracle Key vault.
The setup involves setting up the virtual wallet, endpoint group, end point, managing access ,permissions, migration of the wallet.
admin (okv admin) << system admin and Audit manager roles to the OKV admin.
Step 1) Login to web console
Step 2) as OKV admincreate a virtual wallet
Web console as key vault admin -> Keys & wallets -> create -> name (make unique, description, wallet type and wallet content in case you already have some contents & you have access as well) -> click save
Virtual wallet name: RDBMS_ORACLE_vcentos79-oracle-ggtgt_GGSRC04T
endpoint name: vcentos79-oracle-ggtgt
>> done until here
Step 3) as OKV admin create an endpoint group
endpoint group name: endptgrp_ggsrc04t_okv01 (okv01 was added by okv itself, since I selected make it unique)
web console as keyvault admin -> endpoint -> endpoint group -> create -> enter the name of the group
Step 4) as OKV admin grant read and modify, manage permission for endpoint group to virtual wallet
web console as keyvault admin -> endpoint -> endpoint group -> edit -> access to wallet -> add -> virtual wallet selected -> access level (read or read and modify or manage) -> save
>> done
Step 5) as system admin Register endpoint
endpoint name: endpt_vcentos79-oracle-ggtgt_ggsrc04t | 192.168.194.11
Web console login as system admin -> Endpoints -> Add -> enter the details requested, remember for TDE, choose oracle database as type ->register
>> registered
Step 6) as OKV admin Add endpoints to the endpoint group
web console as keyvault admin -> endpoint groups -> edit -> endpoint group members -> add -> select endpoint groups to which they need to be added -> save -> save the changes to endpoint groups
>>> done
Step 7) as system admin Set default wallet to the virtual wallet we created for the endpoint
web console login as key admin -> endpoint -> select endpoint -> default wallet -> choose wallet -> select -> save
>> done
Step 8) Enroll endpoint as endpoint admin using one time token
Token: aWOvrvpvGdvKJXzh
System admin -> enrollment token shared to endpoint admin
endpoint admin -> logs into the endpoint system -> access the okv web console -> click on endpoint enrollment & software download button -> enter the token -> click validate -> other fields will be auto populated -> click enroll and follow prompts to download store the okvclient.jar in a secure location.
set oraenv [ensure ORACLE_BASE and ORACLE_HOME are proper]
set JAVA_HOME/bin point to java sdk of version 1.6 ,7 or 8
shut the db down in case the db is already using online TDE master encryption keys
shut the server as well using endpoint admin
export JAVA_HOME=$ORACLE_HOME/jdk
export PATH=$PATH:$JAVA_HOME:$JAVA_HOME/bin
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ export JAVA_HOME=$ORACLE_HOME/jdk
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ export PATH=$PATH:$JAVA_HOME:$JAVA_HOME/bin
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ which java
/u01/app/oracle/product/19.0.0/db_1/jdk/bin/java
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ java -version
java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$
OKV_HOME=/u01/app/oracle/okv
login to the endpoint server as endpoint admin -> navigate to the directory where okvclient.jar is kept -> designate okv_home and ensure it is empty -> run the java command shared below -> it will prompt for password [impacts okvutil and administer key management], you can just enter to avoid password; this will enable auto login -> install finishes -> launch <OKV_HOME>/bin/root.sh as root validate [/opt/oracle/extapi/64/hsm/oracle/1.0.0] -> verify softlink existance ls -l $ORACLE_BASE/okv/$ORACLE_SID/okvclient.ora -> launch <okv_home>/bin/okvutil list
cd /home/oracle/dba/OKV_Bin
export OKV_HOME=/u01/app/oracle/okv
java -jar okvclient.jar -d /u01/app/oracle/okv -v
actual output:
[oracle@vcentos79-oracle-ggtgt okv]$ pwd
/u01/app/oracle/okv
[oracle@vcentos79-oracle-ggtgt okv]$ ls -altr
total 0
drwxr-xr-x. 2 oracle oinstall 6 Sep 6 02:40 .
drwxr-xr-x. 9 oracle oinstall 108 Sep 6 02:40 ..
[oracle@vcentos79-oracle-ggtgt okv]$
/home/oracle/dba/OKV_Bin
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ java -jar okvclient.jar -d /u01/app/oracle/okv -v
Detected JAVA_HOME: /u01/app/oracle/product/19.0.0/db_1/jdk
Detected ORACLE_HOME: /u01/app/oracle/product/19.0.0/db_1
Detected ORACLE_BASE: /u01/app/oracle
Using OKV_HOME: /u01/app/oracle/okv
Please set environment variables ORACLE_HOME, ORACLE_BASE, and OKV_HOME
consistently across processes.
Enter new Key Vault endpoint password (<enter> for auto-login):
The endpoint software for Oracle Key Vault installed successfully.
Deleted the file : /home/oracle/dba/OKV_Bin/okvclient.jar
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ pwd
/home/oracle/dba/OKV_Bin
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ ls -altr
total 0
drwxr-xr-x. 6 oracle oinstall 170 Sep 6 02:33 ..
drwxr-xr-x. 2 oracle oinstall 6 Sep 6 02:43 .
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ ls -altr /u01/app/oracle/okv
total 0
drwxr-xr-x. 10 oracle oinstall 123 Sep 6 02:42 ..
drwxr-x---. 2 oracle oinstall 25 Sep 6 02:43 jlib
drwxr-x---. 2 oracle oinstall 27 Sep 6 02:43 lib
drwxr-x---. 3 oracle oinstall 17 Sep 6 02:43 csdk
drwxr-x---. 2 oracle oinstall 120 Sep 6 02:43 bin
drwxr-xr-x. 10 oracle oinstall 102 Sep 6 02:43 .
drwxr-x---. 2 oracle oinstall 48 Sep 6 02:43 GGTGT04T
drwxr-x---. 2 oracle oinstall 44 Sep 6 02:43 ssl
drwxr-x---. 2 oracle oinstall 101 Sep 6 02:43 conf
drwxr-x---. 2 oracle oinstall 63 Sep 6 02:43 log
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ ls -altr /u01/app/oracle/okv
total 0
drwxr-xr-x. 10 oracle oinstall 123 Sep 6 02:42 ..
drwxr-x---. 2 oracle oinstall 25 Sep 6 02:43 jlib
drwxr-x---. 2 oracle oinstall 27 Sep 6 02:43 lib
drwxr-x---. 3 oracle oinstall 17 Sep 6 02:43 csdk
drwxr-x---. 2 oracle oinstall 120 Sep 6 02:43 bin
drwxr-xr-x. 10 oracle oinstall 102 Sep 6 02:43 .
drwxr-x---. 2 oracle oinstall 48 Sep 6 02:43 GGTGT04T
drwxr-x---. 2 oracle oinstall 44 Sep 6 02:43 ssl
drwxr-x---. 2 oracle oinstall 101 Sep 6 02:43 conf
drwxr-x---. 2 oracle oinstall 63 Sep 6 02:43 log
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ ls -altr /u01/app/oracle/okv/bin
total 8572
-rwxr-x---. 1 oracle oinstall 5030 Sep 6 01:31 root.sh
-rwxr-x---. 1 oracle oinstall 7721 Sep 6 01:31 okvutil
-rwxr-x---. 1 oracle oinstall 29651 Sep 6 01:31 okv_ssh_ep_lookup_authorized_keys
-rwxr-x---. 1 oracle oinstall 8707899 Sep 6 01:31 okveps.x64
-rwxr-x---. 1 oracle oinstall 18343 Sep 6 01:31 ep_healthcheck.sh
drwxr-x---. 2 oracle oinstall 120 Sep 6 02:43 .
drwxr-xr-x. 10 oracle oinstall 102 Sep 6 02:43 ..
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ ls -altr /u01/app/oracle/okv/conf
total 12
-rwx------. 1 oracle oinstall 1009 Sep 6 01:31 okvsshendpoint.conf
-rw-r-----. 1 oracle oinstall 0 Sep 6 02:43 okvclient.lck
drwxr-xr-x. 10 oracle oinstall 102 Sep 6 02:43 ..
-rw-r-----. 1 oracle oinstall 1023 Sep 6 02:43 okvclient.ora
drwxr-x---. 2 oracle oinstall 101 Sep 6 02:43 .
-rw-r-----. 1 oracle oinstall 451 Sep 6 02:43 logging.properties
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ ls -altr /opt/oracle/extapi/64/hsm/oracle/1.0.0
ls: cannot access /opt/oracle/extapi/64/hsm/oracle/1.0.0: No such file or directory
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ pwd
/home/oracle/dba/OKV_Bin
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ cd /u01/app/oracle/okv/bin
[oracle@vcentos79-oracle-ggtgt bin]$ pwd
/u01/app/oracle/okv/bin
[oracle@vcentos79-oracle-ggtgt bin]$ ls -altr
total 8572
-rwxr-x---. 1 oracle oinstall 5030 Sep 6 01:31 root.sh
-rwxr-x---. 1 oracle oinstall 7721 Sep 6 01:31 okvutil
-rwxr-x---. 1 oracle oinstall 29651 Sep 6 01:31 okv_ssh_ep_lookup_authorized_keys
-rwxr-x---. 1 oracle oinstall 8707899 Sep 6 01:31 okveps.x64
-rwxr-x---. 1 oracle oinstall 18343 Sep 6 01:31 ep_healthcheck.sh
drwxr-x---. 2 oracle oinstall 120 Sep 6 02:43 .
drwxr-xr-x. 10 oracle oinstall 102 Sep 6 02:43 ..
[oracle@vcentos79-oracle-ggtgt bin]$ sudo su =
su: user = does not exist
[oracle@vcentos79-oracle-ggtgt bin]$ sudo su -
Last login: Tue Oct 10 23:09:11 BST 2023 on pts/0
[root@vcentos79-oracle-ggtgt ~]# cd /u01/app/oracle/okv/bin
[root@vcentos79-oracle-ggtgt bin]# ls -altr
total 8572
-rwxr-x---. 1 oracle oinstall 5030 Sep 6 01:31 root.sh
-rwxr-x---. 1 oracle oinstall 7721 Sep 6 01:31 okvutil
-rwxr-x---. 1 oracle oinstall 29651 Sep 6 01:31 okv_ssh_ep_lookup_authorized_keys
-rwxr-x---. 1 oracle oinstall 8707899 Sep 6 01:31 okveps.x64
-rwxr-x---. 1 oracle oinstall 18343 Sep 6 01:31 ep_healthcheck.sh
drwxr-x---. 2 oracle oinstall 120 Sep 6 02:43 .
drwxr-xr-x. 10 oracle oinstall 102 Sep 6 02:43 ..
[root@vcentos79-oracle-ggtgt bin]# ./root.sh
Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Setting PKCS library file permissions
Installation successful.
[root@vcentos79-oracle-ggtgt bin]# ls -altr /opt/oracle/extapi/64/hsm/oracle/1.0.0
total 8716
drwxr-xr-x. 3 root root 19 Sep 6 02:45 ..
drwxr-xr-x. 2 root root 27 Sep 6 02:45 .
-rwxr-xr-x. 1 root root 8924633 Sep 6 02:45 liborapkcs.so
[root@vcentos79-oracle-ggtgt bin]#
[oracle@vcentos79-oracle-ggtgt bin]$ ls -l $ORACLE_BASE/okv/$ORACLE_SID/okvclient.ora
lrwxrwxrwx. 1 oracle oinstall 38 Sep 6 02:43 /u01/app/oracle/okv/GGTGT04T/okvclient.ora -> /u01/app/oracle/okv/conf/okvclient.ora
[oracle@vcentos79-oracle-ggtgt bin]$
[oracle@vcentos79-oracle-ggtgt bin]$ ls -altr
total 8572
-rwxr-x---. 1 oracle oinstall 5030 Sep 6 01:31 root.sh
-rwxr-x---. 1 oracle oinstall 7721 Sep 6 01:31 okvutil
-rwxr-x---. 1 oracle oinstall 29651 Sep 6 01:31 okv_ssh_ep_lookup_authorized_keys
-rwxr-x---. 1 oracle oinstall 8707899 Sep 6 01:31 okveps.x64
-rwxr-x---. 1 oracle oinstall 18343 Sep 6 01:31 ep_healthcheck.sh
drwxr-x---. 2 oracle oinstall 120 Sep 6 02:43 .
drwxr-xr-x. 10 oracle oinstall 102 Sep 6 02:43 ..
[oracle@vcentos79-oracle-ggtgt bin]$ ./okvutil list
Unique ID Type Identifier
A89071BC-DD21-483F-BB19-B89A82AF9279 Template Default template for ENDPT_VCENTOS79-ORACLE-GGTGT_GGSRC04T
[oracle@vcentos79-oracle-ggtgt bin]$
>> done
Step 9 prereqs:
Introduce 19c setting for tde key
a. copy the tde keys over to tde folder:
[oracle@vcentos79-oracle-ggtgt wallet]$ pwd
/u01/app/oracle/admin/GGTGT04T/wallet
[oracle@vcentos79-oracle-ggtgt wallet]$ ls -altr
total 8
-rw-------. 1 oracle oinstall 3891 Aug 26 2023 cwallet.sso
-rw-------. 1 oracle oinstall 3848 Aug 26 2023 ewallet.p12
drwxr-xr-x. 5 oracle oinstall 51 Aug 26 2023 ..
drwxr-xr-x. 3 oracle oinstall 55 Sep 6 02:52 .
drwxr-xr-x. 2 oracle oinstall 44 Sep 6 02:52 tde
[oracle@vcentos79-oracle-ggtgt wallet]$
[oracle@vcentos79-oracle-ggtgt wallet]$ cp *wall* tde/
[oracle@vcentos79-oracle-ggtgt wallet]$ ls -altr tde
total 8
drwxr-xr-x. 3 oracle oinstall 55 Sep 6 02:52 ..
-rw-------. 1 oracle oinstall 3891 Sep 6 02:52 cwallet.sso
drwxr-xr-x. 2 oracle oinstall 44 Sep 6 02:52 .
-rw-------. 1 oracle oinstall 3848 Sep 6 02:52 ewallet.p12
[oracle@vcentos79-oracle-ggtgt wallet]$
b. set wallet_Root param:
alter system set wallet_root='/u01/app/oracle/admin/GGTGT04T/wallet' scope=spfile;
Note: don't set the path until '/tde' oracle automatically picks 'tde' directory
Step-4: Restart the database Instance
Step-5: set the tde_configuration parameter
alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;
Note: tde_configuration parameter need to set after restart of Instances, otherwise oracle will not allow to change the parameter.
Step-6: Validate
show parameter wallet_root
show parameter tde_configuration
select * from v$encryption_wallet;
Actual output:
SQL> !pwd
/home/oracle/dba/OKV_Bin
SQL> create pfile='/home/oracle/dba/OKV_Bin/pfileGGTGT04T.ora' from spfile;
File created.
SQL> alter system set wallet_root='/u01/app/oracle/admin/GGTGT04T/wallet' scope=spfile;
System altered.
SQL> shu immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> start up
SP2-0310: unable to open file "up.sql"
SQL> startup
ORACLE instance started.
Total System Global Area 3221222464 bytes
Fixed Size 8901696 bytes
Variable Size 1107296256 bytes
Database Buffers 2097152000 bytes
Redo Buffers 7872512 bytes
Database mounted.
Database opened.
SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;
System altered.
SQL> sho parameter TDE_C
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string KEYSTORE_CONFIGURATION=FILE
SQL> sho parameter wallet
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
ssl_wallet string
wallet_root string /u01/app/oracle/admin/GGTGT04T
/wallet
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC
------------------------------ -------------------- --------- -------- ---------
CON_ID
----------
FILE
/u01/app/oracle/admin/GGTGT04T/wallet/tde/
OPEN AUTOLOGIN SINGLE NONE NO
0
SQL> disc
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> conn / as sysdba
Connected.
SQL> select * from V$ENCRYPTED_TABLESPACES;
TS# ENCRYPT ENC
---------- ------- ---
ENCRYPTEDKEY
----------------------------------------------------------------
MASTERKEYID BLOCKS_ENCRYPTED BLOCKS_DECRYPTED KEY_VERSION
-------------------------------- ---------------- ---------------- -----------
STATUS CON_ID
---------- ----------
5 AES256 YES
DB42CC7B7C43582EC021146C77B5EB10E8DF88A01E1A81F29881327B470E602C
24C275A122E04FA4BFAAF486B4B27B5E 0 1 0
NORMAL 0
SQL> select tablespace_name,ENCRYPTED from dba_tablespaces order by 1;
TABLESPACE_NAME ENC
------------------------------ ---
ENCRYPT_TS1 YES
GG_DATA_TGT NO
SYSAUX NO
SYSTEM NO
TEMP NO
UNDOTBS1 NO
USERS NO
7 rows selected.
SQL> select username from dba_users where oracle_maintaned='N';
select username from dba_users where oracle_maintaned='N'
*
ERROR at line 1:
ORA-00904: "ORACLE_MAINTANED": invalid identifier
SQL> select username from dba_users where oracle_maintained='N';
USERNAME
--------------------------------------------------------------------------------
DBV_OWNER
ENCVAULT_TEST
ENCVAULT_TEST_RO
GGADMIN_TGT
ENCVAULT_TEST_PREV
SQL> disc
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> conn ENCVAULT_TEST/encvault_test
ERROR:
ORA-28002: the password will expire within 7 days
Connected.
SQL> select count(1) from ENCRYPT_TAB1;
COUNT(1)
----------
10
SQL> disc
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>
======================
Step 9) Migrate the TDE key to oracle key vault
1. backup the candidate db impacted by the wallet file
2. complete the enrollment of the endpoint
3. Upload the local wallet file using okvutil
$ OKV_HOME/bin/okvutil upload -t WALLET -l /path/to/tde-wallet -g name_of_wallet_in_Oracle_Key_Vault -v 4
$OKV_HOME/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/GGTGT04T/wallet/tde -g RDBMS_ORACLE_vcentos79-oracle-ggtgt_GGSRC04T -v 4
Actual output:
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ $OKV_HOME/bin/okvutil upload -t WALLET -l /u01/app/oracle/admin/GGTGT04T/wallet/tde -g RDBMS_ORACLE_vcentos79-oracle-ggtgt_GGSRC04T -v 4
okvutil version 21.9.0.0.0
Endpoint type: Oracle Database
Configuration file: /u01/app/oracle/okv/conf/okvclient.ora
Server: 192.168.194.123:5696 192.168.194.122:5696
Standby Servers:
Uploading from /u01/app/oracle/admin/GGTGT04T/wallet/tde
Enter source wallet password:
Auto-login wallet found, no password needed
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Trying to connect to 192.168.194.123:5696 ...
Connected to 192.168.194.123:5696.
Trying to connect to 192.168.194.122:5696 ...
Connected to 192.168.194.122:5696.
ORACLE.SECURITY.DB.ENCRYPTION.ASTCdaEi4E+kv6r0hrSye14AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trying to connect to 192.168.194.123:5696 ...
Connected to 192.168.194.123:5696.
ORACLE.SECURITY.KM.ENCRYPTION.ASTCdaEi4E+kv6r0hrSye14AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KB.ENCRYPTION.
Trying to connect to 192.168.194.122:5696 ...
Connected to 192.168.194.122:5696.
ORACLE.SECURITY.ID.ENCRYPTION.
Trying to connect to 192.168.194.123:5696 ...
Connected to 192.168.194.123:5696.
Uploaded 1 TDE keys
Uploaded 0 SEPS entries
Uploaded 0 other secrets
Uploaded 3 opaque objects
Uploading private key
Trying to connect to 192.168.194.122:5696 ...
Connected to 192.168.194.122:5696.
Uploading certificate request
Trying to connect to 192.168.194.123:5696 ...
Connected to 192.168.194.123:5696.
Uploading trust points
Uploaded 1 private keys
Uploaded 1 certificate requests
Uploaded 0 user certificates
Uploaded 0 trust points
Upload succeeded
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$ $OKV_HOME/bin/okvutil list
Unique ID Type Identifier
75CFB2B7-5D71-58B8-A281-30C04E560420 Symmetric Key TDE Master Encryption Key: MKID ASTCdaEi4E+kv6r0hrSye14AAAAAAAAAAA
EFB0AC91-54D0-4580-9ED8-65A2D39BD88E Opaque Object TDE Wallet Metadata
08A477AB-00D7-48CF-900C-B901EC049CA5 Opaque Object Certificate Request
4E0BBFE1-7595-4844-ADDF-986816EDAF51 Opaque Object TDE Wallet Metadata
2B338490-6EA2-4116-85DB-F254B469CF7D Opaque Object TDE Wallet Metadata
BDF1F273-527C-4284-98C8-6F4EA49383BE Private Key -
A89071BC-DD21-483F-BB19-B89A82AF9279 Template Default template for ENDPT_VCENTOS79-ORACLE-GGTGT_GGSRC04T
[oracle@vcentos79-oracle-ggtgt OKV_Bin]$
4. 19c
ALTER SYSTEM SET TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=OKV|FILE" SCOPE = BOTH;
Actual output:
SQL> ALTER SYSTEM SET TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=OKV|FILE" SCOPE = BOTH;
System altered.
select * from v$encryption_wallet
/
WRL_TYPE
--------------------
WRL_PARAMETER
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
STATUS ,WALLET_TYPE ,WALLET_OR,KEYSTORE,FULLY_BAC, CON_ID
------------------------------,--------------------,---------,--------,---------,----------
FILE
/u01/app/oracle/admin/GGTGT04T/wallet/tde/
OPEN ,UNKNOWN ,SINGLE ,NONE ,NO , 0
OKV
CLOSED ,UNKNOWN ,SINGLE ,NONE ,UNDEFINED, 0
SQL>
6. Close and reconnect in 19c db
7. run below query to verify if the method data from sqlnet.ora is reflecting... (wallet_type)
SELECT CON_ID, WALLET_TYPE, WALLET_ORDER, STATUS
FROM V$ENCRYPTION_WALLET
WHERE CON_ID <> 2;
disc and conn:
SQL> conn / as sysdba
Connected.
SQL> set lines 1200 pages 3000 colsep , time on timing on trim on trims on
03:13:33 SQL> col wrl_parameter for a50
03:13:42 SQL> select * from v$encryption_wallet;
WRL_TYPE ,WRL_PARAMETER ,STATUS ,WALLET_TYPE ,WALLET_OR,KEYSTORE,FULLY_BAC, CON_ID
--------------------,--------------------------------------------------,------------------------------,--------------------,---------,--------,---------,----------
FILE ,/u01/app/oracle/admin/GGTGT04T/wallet/tde/ ,OPEN ,UNKNOWN ,SINGLE ,NONE ,NO , 0
OKV , ,CLOSED ,UNKNOWN ,SINGLE ,NONE ,UNDEFINED, 0
Elapsed: 00:00:00.01
03:13:47 SQL> SELECT CON_ID, WALLET_TYPE, WALLET_ORDER, STATUS
FROM V$ENCRYPTION_WALLET
WHERE CON_ID <> 2;03:14:08 2 03:14:08 3
CON_ID,WALLET_TYPE ,WALLET_OR,STATUS
----------,--------------------,---------,------------------------------
0,UNKNOWN ,SINGLE ,OPEN
0,UNKNOWN ,SINGLE ,CLOSED
Elapsed: 00:00:00.00
03:14:09 SQL>
8. For 12c and +; run the below command to complete the migration [NULL here, since we will prefer autologin]
wallet password: oracle
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "NULL" MIGRATE USING "oracle" WITH BACKUP;
9. For 12c and +; run the below command to open the key vault
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
IDENTIFIED BY NULL;
10. After you complete the migration, if you are using an auto-login wallet, then re-enable it by renaming the cwallet.sso.bak file to cwallet.sso.
Step 10) Delete the local key and try access the encrypted content
No comments:
Post a Comment