Wednesday, August 01, 2018

Wallet Usage In PDB/CDB of Multitenant Environment


About using TDE in Multitenant environment

  • We have a single Keystore (Wallet) owned by the ROOT container (CDB$ROOT) and a separate Master Encryption Key for each of the associated pluggable databases as well as a Master encryption Key for the ROOT (CDB$ROOT) container.
  • The keystore in the CDB must be open to allow the keystores in the PDB's to be open.  If you close the keystore in the CDB, all PDB keystores will be closed as well.
  • Each PDB must have their own Master Encryption Key
  • To import or export the keystore, the wallet must be opened explicitly with a password, and not using auto-login wallet.
  • Utilize ADMINISTER KEY MANAGEMENT commands to manage Wallet and Encryption Keys

Create Keystore on CDB

  • Create directory /etc/oracle/wallets/TDE/TESTDB
  • Update sqlnet.ora
  • add ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/etc/test/wallets/TDE/$ORACLE_UNQNAME/)))
  • Create keystore
  • administer key management create keystore '/etc/test/wallets/TDE/TESTDB/' identified by "password";
  • Check status of keystore
  • select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;     (status will be CLOSED)
  • Open Keystore
  • administer key management set keystore open identified by "password";
  • Check status of keystore
  • select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;    (status will be OPEN_NO_MASTER_KEY)
  • Activate the key
  • administer key management set key identified by "password" with backup;
  • Check status of keystore
  • select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;    (status will be OPEN)
  • Copy ewallet.p12 to node 2
  • Check status of keystore node 2
  • select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;    (status should be OPEN.  If not you may need to bounce the CDB)


Create Keystore on PDB (no need if you do export/import keys from non-CDB to PDB)

  • Connect to PDB
  • sqlplus sys@PDB1 as sysdba
  • Open Keystore
  • administer key management set keystore open identified by "password";
  • Check status of keystore
  • select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;    (status will be OPEN_NO_MASTER_KEY)
  • Activate the key
  • administer key management set key identified by "password" with backup;
  • Check status of keystore
  • select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;    (status will be OPEN)
  • Check keystore key status in CDB
  • Connect to CDB
  • select CON_ID,KEY_ID,KEYSTORE_TYPE,CREATOR_DBNAME,CREATOR_PDBNAME from v$encryption_keys;
  • Copy ewallet.p12 to node 2
  • Bounce CDB on node 2 so the PDB's will recognize the new encryption keys
  • Connect to CDB on node 2
  • select CON_ID,KEY_ID,KEYSTORE_TYPE,CREATOR_DBNAME,CREATOR_PDBNAME from v$encryption_keys;
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)