Menu Close

How to create TDE wallet with auto login in RAC DB on Exadata

TDE transparently encrypts data at rest in Oracle Databases. It stops unauthorized attempts from the operating system to access database data stored in files, without impacting how applications access the data using SQL. In this blog will share the steps to create TDE wallet in RAC with auto login on Exadata systems.

  • Put this entry in $ORACLE_HOME/network/admin’s sqlnet.ora and $GRID_HOME/network/admin’s sqlnet.ora on all nodes.

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/admin/$ORACLE_SID/wallet)))

(in most of the cases you will find the soft link created in $ORACLE_HOME/network/admin’s sqlnet.ora towards $GRID_HOME/network/admin’s sqlnet.ora which means you only need to change it in GRID HOME’s sqlnet.ora as it will be the real copy.)

  • Create two shared locations, one for wallet keys other for wallet key’s backup. By shared locations mean any ACFS location which is shared on all nodes (Eg: /nfs_backup, /nfs_exabkp etc)
mkdir -p /wallet/wallet-keys/<DB_SID>   /*SHARED LOCATION*/
mkdir -p /nfs_exabkp/WALLET_BACKUP/wallet/<DB_SID>   /*SHARED LOCATION*/

  • Create a location for wallet directory in each node which will redirect to wallet keys shared location via symbolic link (soft link).
mkdir -p /u01/app/oracle/admin/<instance_SID>
ln -s /wallet/wallet-keys/<DB_SID> /u01/app/oracle/admin/<instance_SID>/wallet

Note: this will create a symbolic link of “wallet” folder in “/u01/app/oracle/admin/<instance_SID>” which will redirect to “/wallet/wallet-keys/<DB_SID>” aka shared location for keys.

Nodes:

  • Follow the steps for wallet creation.

It’s an example for database LNT with four nodes (LNT1, LNT2, LNT3, and LNT4)

SQL> set line 300 pages 300
SQL> col WRL_PARAMETER for a50
SQL> col WRL_TYPE for a10
SQL> select * from gv$encryption_wallet;

SQL> administer key management create keystore '/u01/app/oracle/admin/lnt1/wallet/' identified by "N0T_SYSPWD";

SQL> select * from gv$encryption_wallet; 

SQL> administer key management set keystore open identified by "N0T_SYSPWD"; 

SQL> select * from gv$encryption_wallet;

SQL> administer key management create key identified by N0T_SYSPWD with backup;

SQL> select key_id from gv$encryption_keys;

SQL> administer key management use key 'AeVURxDScE/vvw6qvCoZAGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' identified by N0T_SYSPWD with backup;

SQL> select key_id,activation_time from v$encryption_keys; 
SQL> select * from gv$encryption_wallet; 

SQL> administer key management set key identified by N0T_SYSPWD with backup;

SQL> select key_id,activation_time from gv$encryption_keys;

SQL> administer key management alter keystore password identified by "N0T_SYSPWD" set "welcome1" with backup using 'change';

SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'wallet' IDENTIFIED BY "welcome1" to '/nfs_exabkp/WALLET_BACKUP/wallet/lnt';

Auto Login : for auto-login fire below command and bounce the database from SRVCTL.

SQL> administer key management create auto_login keystore from keystore '/u01/app/oracle/admin/lnt1/wallet' identified by "welcome1";

After Bounce

SQL> select * from gv$encryption_wallet;

Thanks for reading…

subscribe to get notified for latest post.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Only commands & code copying allowed.