1. Backup the current P12 to archive
a. Oracle Wallet keys are stored in ACFS, a cluster file system on top of ASM. On Unix, access to the wallet is be limited to the 'oracle:oinstall' user:group, using proper directory (700) and file permissions (600).
b. Its back up after each master-rekey operation or changes to a encrypted network drive. (Kee-Pass)
c. The backups are stored away from database backups.
2. Use orapki wallet display -wallet to see master key list and validate the password
[TEST-DB]/ora/wallets/test-db> orapki wallet display -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
3. Change Oracle Wallet Password
[test-db1]/ora/wallets/test-db> orapki wallet change_pwd -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
New password:
Enter wallet password:
[test-db1]/ora/wallets/test-db>
4. Use orapki wallet display -wallet to see that a new master key has been added
[test-db1]/ora/wallets/test-db/client> orapki wallet display -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
PKI-02002: Unable to open the wallet. Check password.
[test-db1]/ora/wallets/test-db/client> orapki wallet display -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
[test-db1]/ora/wallets/test-db/client>
5. Backup the new P12 to archive and the Kee-Pass
6. Close the wallet and reopen
SQL> alter system set encryption wallet open identified by "";
alter system set encryption wallet open identified by ""
*
ERROR at line 1:
ORA-28353: failed to open wallet
SQL> alter system set encryption wallet open identified by "";
System altered.
SQL> exit
7. Run a query that touches TDE encrypted data
--When the wallet is closed
select * from encrypted_table;
ORA-28365: wallet is not open
28365. 0000 - "wallet is not open"
*Cause: The security module wallet has not been opened.
*Action: Open the wallet.
--Opening the wallet
select count(*) from encrypted_table;
17981
No comments:
Post a Comment