How to setup TDE Wallet on Oracle 11g RAC


1 ) Set the environment variable also via srvctl @ oracle user.

export ORACLE_UNQNAME=`$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}`

srvctl setenv database -d prod -T "ORACLE_UNQNAME=prod"

2) Create wallet directory on both nodes @ oracle user.

mkdir -p /u01/app/oracle/WALLETS/prod

3) Configure sqlnet.ora as follows on both nodes @ oracle user.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/WALLETS/prod)))

If you are using more then one database for TDE wallet use the below sqlnet.ora entry.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/WALLETS/$ORACLE_UNQNAME/)))

4) Create the wallet by using node1 login @ oracle user.

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "welcome1";

5) Open wallet by using node1 login @ oracle user.

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";

6) To configure auto login for wallet by using both nodes login @ oracle user.

orapki wallet create -wallet /u01/app/oracle/WALLETS/prod -auto_login

7)  copy the below files to node2 @ oracle user.

scp ewallet.p12 prod2:/u01/app/oracle/WALLETS/prod


8) Change permissions on directory and files in both nodes @ oracle user.

cd /u01/app/oracle/WALLETS
chmod 700 prod
cd prod
chmod 600 ewallet.p12

9) After initially creating the encryption wallet (and optionally a (local) auto-open wallet), navigate
to the directory that stores the Oracle Wallet and set the ‘immutable’ bit with: on both nodes @ root user.

# chattr +i ewallet.p12
# chattr +i cwallet.sso


10 ) creating tablespace by using below command @ node1.

CREATE TABLESPACE RMB_TBS  DATAFILE  '+DATA'
SIZE 500m AUTOEXTEND  ON NEXT 200m EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO
ENCRYPTION USING '3DES168'
DEFAULT STORAGE (ENCRYPT);

check the tablespace encryption status.

SQL> select TABLESPACE_NAME,ENCRYPTED from dba_tablespaces;

TABLESPACE_NAME                ENC
------------------------------ ---
SYSTEM                         NO
SYSAUX                         NO
UNDOTBS1                       NO
TEMP                           NO
UNDOTBS2                       NO
USERS                          NO
RMB_TBS                        YES

Comments

Post a Comment

Popular posts from this blog

[INS-40718] Single Client Access Name (SCAN): could not be resolved. ( LDOMS & Zones)

Cause The name you provided as the SCAN could not be resolved using TCP/IP host name lookup. Action-Provide name to use for the SCAN for which the domain can be resolved Global Zone : ============= # svccfg svc:> select name-service/switch svc:/system/name-service/switch> setprop config/host = astring: "files dns" svc:/system/name-service/switch> select system/name-service/switch:default svc:/system/name-service/switch:default> refresh svc:/system/name-service/switch:default> validate svc:/system/name-service/switch:default> exit # svcadm refresh name-service/switch # svcadm restart /system/name-service-cache; then, I can resolve host using telnet/ping.
Read more

Bare Metal Restore Procedure for Compute Nodes on an Exadata Environment

Remove the Failed Database Server from the Cluster 1. Disable the listener that runs on the failed database server: [oragrid@surviving ~]$ srvctl disable listener -n dm01db01 [oragrid@surviving ~]$ srvctl stop listener -n dm01db01 PRCC-1017 : LISTENER was already stopped on dm01db01 PRCR-1005 : Resource ora.LISTENER.lsnr is already stopped [oragrid@surviving ~]$ 2. Delete the Inactive Instance using DBCA via ( Instance management ) and Oracle Home from the Oracle inventory: [oracle@surviving ~]$ dbca ( vncserver ) [oracle@surviving ~]$ cd $ORACLE_HOME/oui/bin [oracle@surviving bin]$ ./runInstaller -updateNodeList ORACLE_HOME=/u01/app/oracle/product/11.2.0.4/dbhome_1 "CLUSTER_NODES=dm01db02" Starting Oracle Universal Installer... Checking swap space: must be greater than 500 MB.   Actual 23984 MB    Passed The inventory pointer is located at /etc/oraInst.loc The inventory is located at /u01/app/oraInventory 'UpdateNodeList' was successful. [or...
Read more