How to setup TDE Wallet on Oracle 12c RAC - Exadata

1) Create wallet directory on both nodes @ oracle user.

mkdir -p /u01/app/oracle/WALLETS/PROD
chown -R oracle:oinstall /u01/app/oracle/WALLETS/PROD


2) Configure $ORACLE_HOME/network/admin/sqlnet.ora as follows on both nodes @ oracle user.

NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
ENCRYPTION_WALLET_LOCATION =
  (SOURCE = (METHOD = FILE) (METHOD_DATA =
    (DIRECTORY=/u01/app/oracle/WALLETS/$ORACLE_UNQNAME/)))


3) Create the wallet by using node1 login @ oracle user.
        
SQL> administer key management create keystore '/u01/app/oracle/WALLETS/PROD/' identified by "pass****";

keystore altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
    CON_ID
----------
FILE
/u01/app/oracle/WALLETS/PROD/
CLOSED                         UNKNOWN              SINGLE    UNDEFINED
         0


4) Set the keystore and open the wallet on node1 login @ oracle user.

SQL> administer key management set keystore open identified by pass****;

keystore altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
    CON_ID
----------
FILE
/u01/app/oracle/WALLETS/PROD/
OPEN_NO_MASTER_KEY             PASSWORD             SINGLE    UNDEFINED
         0

5) Create the wallet key with backup on node1 login @ oracle user.

SQL> administer key management create key identified by pass**** with backup;

keystore altered.

SQL>  select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
    CON_ID
----------
FILE
/u01/app/oracle/WALLETS/PROD/
OPEN_NO_MASTER_KEY             PASSWORD             SINGLE    UNDEFINED
         0

6) Find the key ID by using below query.

SQL> select key_id from v$encryption_keys;

KEY_ID
------------------------------------------------------------------------------
Afcmud4kr09+vxvVLeckIRsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


7) Register the wallet by using above key ID.

SQL> administer key management use key 'Afcmud4kr09+vxvVLeckIRsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' identified by pass**** with backup;

keystore altered.

SQL> select key_id,activation_time from v$encryption_keys;

KEY_ID
------------------------------------------------------------------------------
ACTIVATION_TIME
---------------------------------------------------------------------------
Afcmud4kr09+vxvVLeckIRsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
13-JUL-16 11.36.24.990806 AM +00:00


8) Check the wallet is open or not by below query.

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC
------------------------------ -------------------- --------- ---------
    CON_ID
----------
FILE
/u01/app/oracle/WALLETS/PROD/
OPEN                           PASSWORD             SINGLE    NO
         0


9) Copy the below files to node2 @ oracle user.

[oracle@exaprddb01 admin]$ cd /u01/app/oracle/WALLETS/PROD/
[oracle@exaprddb01 PROD]$ ls -lrt
total 12
-rw-r--r-- 1 oracle asmadmin 2408 Jul 13 14:35 ewallet_2016071311353656.p12
-rw-r--r-- 1 oracle asmadmin 3664 Jul 13 14:36 ewallet_2016071311362496.p12
-rw-r--r-- 1 oracle asmadmin 3848 Jul 13 14:36 ewallet.p12

[oracle@exaprddb01 PROD]$ scp * dexadbadm02:/u01/app/oracle/WALLETS/PROD/
ewallet_2016071311353656.p12                                                                                               100% 2408     2.4KB/s   00:00
ewallet_2016071311362496.p12                                                                                               100% 3664     3.6KB/s   00:00
ewallet.p12                                                                                                                100% 3848     3.8KB/s   00:00
[oracle@exaprddb01 PROD]$

Comments

Post a Comment

Popular posts from this blog

Fatal agent error: Target Interaction Manager failed at Startup

Symptoms ========  $ /AGENT_INST/bin/emctl start agent Oracle Enterprise Manager Cloud Control 12c Release 3 Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved. Starting agent ......................................................................... failed. Fatal agent error: Target Interaction Manager failed at Startup Fatal agent error: Target Interaction Manager failed at Startup Fatal agent error: Target Interaction Manager failed at Startup EMAgent is Thrashing. Exiting watchdog $/AGENT_INST/sysman/log/emagent.nohup reports following error 2013-11-01 17:29:38,596 [1:main] WARN - Missing filename for log handler 'opsscfg' Agent is going down due to an OutOfMemoryError $/AGENT_INST/sysman/log/gcagent.log reports following error 2013-11-01 17:29:19,204 [1:3305B9] INFO - Invoking STARTUP_P1 (1) on Target Interaction Manager 2013-11-01 17:29:23,255 [1:main] FATAL - Fatal error: Target Interaction Manager failed at Startup java.lang.OutOfMemoryError: Java heap sp
Read more

[INS-40718] Single Client Access Name (SCAN): could not be resolved. ( LDOMS & Zones)

Cause The name you provided as the SCAN could not be resolved using TCP/IP host name lookup. Action-Provide name to use for the SCAN for which the domain can be resolved Global Zone : ============= # svccfg svc:> select name-service/switch svc:/system/name-service/switch> setprop config/host = astring: "files dns" svc:/system/name-service/switch> select system/name-service/switch:default svc:/system/name-service/switch:default> refresh svc:/system/name-service/switch:default> validate svc:/system/name-service/switch:default> exit # svcadm refresh name-service/switch # svcadm restart /system/name-service-cache; then, I can resolve host using telnet/ping.
Read more

CRS-2883: Resource 'ora.asm' failed during Clusterware stack start

Symptoms ======== root@oraprod02:~# /u01/app/12.1.0.2/grid/crs/install/rootcrs.pl -postpatch Using configuration parameter file: /u01/app/12.1.0.2/grid/crs/install/crsconfig_params 2017/11/05 15:57:38 CLSRSC-4015: Performing install or upgrade action for Oracle Trace File Analyzer (TFA) Collector. 2017/11/05 15:58:08 CLSRSC-4003: Successfully patched Oracle Trace File Analyzer (TFA) Collector. 2017/11/05 15:58:13 CLSRSC-329: Replacing Clusterware entries in file '/etc/inittab' CRS-4123: Oracle High Availability Services has been started. CRS-4133: Oracle High Availability Services has been stopped. CRS-4123: Starting Oracle High Availability Services-managed resources CRS-2672: Attempting to start 'ora.evmd' on 'oraprod02' CRS-2672: Attempting to start 'ora.mdnsd' on 'oraprod02' CRS-2676: Start of 'ora.mdnsd' on 'oraprod02' succeeded CRS-2676: Start of 'ora.evmd' on 'oraprod02' succeeded CRS-2672: Attempting to st
Read more