Upload Oracle Database TDE keys to OKV ( Oracle key vault ) using Rest API


Have  documented earlier  steps for TDE in below Blog    however  in this Blog we  will document steps for configuring TDE   on  OKV

https://abdul-hafeez-kalsekar.blogspot.com/2024/03/tde-and-tls-encryption-for-oracle.html
 

Steps of  moving TDE  to  OKV 

[oracle@okvcli oracle]$ mkdir -vp ${WALLET_DIR}/okv


[oracle@okvcli bin]$ export JAVA_HOME=/u01/app/oracle/product/21.0.0/dbhome_1/jdk
[oracle@okvcli bin]$ echo "export JAVA_HOME=/u01/app/oracle/product/21.0.0/dbhome_1/jdk" >> $HOME/.bashrc
 
[oracle@okvcli oracle]$ mkdir /u01/app/oracle/okvapi
[oracle@okvcli oracle]$ cd okvapi/

[oracle@okvcli okvapi]$ curl -O -k https://172.168.0.41:5695/okvrestclipackage.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3865k  100 3865k    0     0   107M      0 --:--:-- --:--:-- --:--:--  107M
 
[oracle@okvcli okvapi]$ unzip okvrestclipackage.zip
Archive:  okvrestclipackage.zip
   creating: lib/
   creating: bin/
  inflating: bin/okv
  inflating: bin/okv.bat
   creating: conf/
  inflating: conf/okvrestcli.ini
  inflating: conf/okvrestcli_logging.properties
  inflating: lib/okvrestcli.jar
 
[oracle@okvcli okvapi]$ rm okvrestclipackage.zip
 
oracle@okvcli ~]$ export OKV_HOME=/u01/app/oracle/okvapi


[oracle@okvcli ~]$ cat $OKV_HOME/conf/okvrestcli.ini
[Default]
log_property=$OKV_HOME/conf/okvrestcli_logging.properties
server=172.168.0.41
okv_client_config=$WALLET_DIR/okv/conf/okvclient.ora
user=admin
client_wallet=$OKV_HOME/wallet


Edit the $OKV_HOME/bin/okv file and uncomment the line export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini

As for the okvrestcli.ini file we used the admin user (see user=admin from okvrestcli.ini) to configure the wallet. The password is the one defined in OKV for the admin user.

[oracle@okvcli okvapi]$ mkdir $OKV_HOME/wallet
 
[oracle@okvcli okvapi]$ $OKV_HOME/bin/okv admin client-wallet add --client-wallet $OKV_HOME/wallet --wallet-user admin
 
[oracle@okvcli okvapi]$  $OKV_HOME/bin/okv server info get

First we can create a wallet in the OKV for the endpoint. This step is optional. The name of the wallet is DBCDB01_WLT
[oracle@okvcli okvapi]$ $OKV_HOME/bin/okv manage-access wallet create --wallet DBCDB01_WLT


Now create the endpoint in the OKV
[oracle@okvcli okvapi]$ $OKV_HOME/bin/okv admin endpoint create --endpoint okvcli_host --description "$HOSTNAME, $(hostname -i)" --type ORACLE_DB --platform LINUX64


As we create a wallet for this endpoint let’s define it as default wallet for it:
[oracle@okvcli okvapi]$ $OKV_HOME/bin/okv manage-access wallet set-default --wallet DBCDB01_WLT  --endpoint okvcli_host



Enroll the endpoint:
[oracle@okvcli okvapi]$ $OKV_HOME/bin/okv admin endpoint provision --endpoint okvcli_host --location /u01/app/oracle/wallet/okv --auto-login FALSE
 
The --location parameter must be wallet_root parameter path from the database plus okv. In this path OKV will download the okvutil file needed by the database to communicate with OKV server:


The okvclient.ora file from /u01/app/oracle/wallet/okv/conf path can be added in the $OKV_HOME/conf/okvrestcli.ini file: okv_client_config=/u01/app/oracle/wallet/okv/conf/okvclient.ora to be able to use the RESTfull API for this database.


[opc@tstokvcli ~]$ sudo su -
[root@tstokvcli ~]# /u01/app/oracle/wallet/okv/bin/root.sh

oracle@okvcli ~]$ cd /u01/app/oracle/wallet/okv/bin
[oracle@okvcli bin]$ ./okvutil list


At this moment we have the database encrypted with TDE, and the database server is able to communicate with the OKV server, and is enrolled in the OKV client.




Upload TDE key to OKV.

The parameter "KEYSTORE_CONFIGURATION=OKV|FILE" means that the database will get the encryption key from OKV and the auto_login file cwallet.sso from local disk (/u01/app/oracle/wallet/tde)

The first password id the Database wallet password  the second password is the endpoint password  

oracle@okvcli ~]$ cd /u01/app/oracle/wallet/okv/bin
[oracle@okvcli bin]$ ./okvutil upload -t WALLET -l /u01/app/oracle/wallet/tde  -g DBCDB01_WLT -v 4


SQL> alter system set tde_configuration = "KEYSTORE_CONFIGURATION=OKV|FILE" ;
SQL> administer key management set encryption key identified BY "OKV_cli_123"  migrate using "Hello123"  WITH BACKUP;
 
 

[oracle@okvcli tde]$ cd /u01/app/oracle/wallet/tde
[oracle@okvcli tde]$ rm cwallet.sso

SQL> administer key management add secret 'OKV_cli_123' for client 'OKV_PASSWORD' to local auto_login keystore '/u01/app/oracle/wallet/tde';




Persistent Cache feature of Okv 

If you think about Oracle Key Vault upgrades without downtime Persistent Cache is “Have-to-know” concept in Oracle Key Vault Domain. 

In-Memory Cache is cache closest to endpoint – Oracle database with TDE enabled. Virtual wallet resides in Oracle Key Vault and hold Master Encryption Key. Persistent Cache is optional components also hold Master Encryption Key. You could configure mode of it which basically setup the keystores order for endpoint. If you want OKV upgraded without downtime you have to setup persistent cache as first point of contact for endpoint.

Yes, but do we have another protection when somebody take our data together with Persistent Cache? Yes, we have.

Persistent Cache – notes

1) Set EXPIRE PKCS11 PERSISTENT CACHE ON DATABASE SHUTDOWN parameter (possible only in OKV console) to ensure PKCS#11 persistent cache automatically expires upon shutdown of the endpoint database
2) It provides protection for stealing databases. When enabled, encrypted data will not be available for database without contacting OKV.
3) However – in case of local OKV unavailability any database shutdown caused unavailability for encrypted data. RAC database came to the rescue
4) Everything comes as part of compromise. If you want to not allow encrypt material to leave OKV you cannot configure persistent cache. It means downtime during OKV upgrade.



Views : 


WALLET QUERY (RAC) 19c and 18c:

set linesize 200
set pagesize 100
column wrl_parameter format a50
column wrl_type heading 'Type' format a10
column status heading 'Status' format a30
column fully_backed_up heading 'Backed Up' format a10
column pdb_name heading 'PDB Name' format a19
column wallet_order for a9
break on inst_id skip 1
select inst_id,b.name pdb_name,wrl_type,
wrl_parameter,wallet_order,
status,wallet_type,
keystore_mode,
fully_backed_up
from gv$encryption_wallet a,v$containers b
where a.con_id = b.con_id(+)
and name <>'PDB$SEED'
order by inst_id,b.name,wrl_type,wallet_order;



WALLET QUERY (RAC) 12c:

set linesize 200
set pagesize 100
column wrl_parameter format a50
column wrl_type heading 'Type' format a10
column status heading 'Status' format a30
column fully_backed_up heading 'Backed Up' format a10
column pdb_name heading 'PDB Name' format a19
column wallet_order for a9
break on inst_id skip 1
select inst_id,b.name pdb_name,wrl_type,
wrl_parameter,wallet_order,
status,wallet_type,
fully_backed_up
from gv$encryption_wallet a,v$containers b
where a.con_id = b.con_id(+)
order by inst_id,b.name,wrl_type,wallet_order;




Reference :

https://docs.oracle.com/en/database/oracle/key-vault/21.6/okvag/troubleshooting-okvutil.html#GUID-A7B3A39B-44D1-44E5-9466-72BC738E3175

https://docs.oracle.com/cd/E65319_01/OKVAG/managing_certificates.htm

Migration of File based TDE to OKV for Exadata Database Service on Cloud at Customer Gen2 (Doc ID 2823650.1)

 NOTE:2828575.1 - Migration of File based TDE to OKV for Gen 2 ExaDB-C@C Using REST

https://www.dbi-services.com/blog/add-tde-to-oracle-database-and-upload-keys-to-okv/

https://www.dbi-services.com/blog/rekey-operation-on-oracle-database-configured-with-oracle-key-vault/



Comments

Post a Comment

Popular posts from this blog

How To Purge Optimizer Statistics Advisor Old Records From 12.2 Onwards (Doc ID 2660128.1)

  In this Document Goal Solution References APPLIES TO: Oracle Database - Enterprise Edition - Version 12.2.0.1 and later Oracle Cloud Infrastructure - Database Service - Version N/A and later Information in this document applies to any platform. GOAL Goal of this document is to provide the method to purge the old records of Optimizer Statistics Advisor Task namely AUTO_STATS_ADVISOR_TASK that consumes huge SYSAUX space. Huge no.of old records retained in WRI$_ADV_OBJECTS for AUTO_STATS_ADVISOR_TASK or INDIVIDUAL_STATS_ADVISOR_TASK incurs heavy SYSAUX space. AUTO_STATS_ADVISOR_TASK is meant for Automatic Statistics Advisor task while INDIVIDUAL_STATS_ADVISOR_TASK is for Manual Statistics Advisor task.  DBA_ADVISOR_PARAMETERS displays all advisor task parameters and their current values in the database. There is a parameter name called EXECUTION_DAYS_TO_EXPIRE. This parameter is set in no.of days. Executions older than the value(no.of days) set would be purged automaticall...
Read more

Oracle session snapper

-- use dbms_session.sleep instead of dbms_lock on oracle 18c or higher -- last column  is sid  -- scipt_name   stat_to_collect   secods_of_snap  how_many_snap   sessions_to_snap -- @snapper all 100 1 lgdr@* -- @snapper all 100 1 sqlid@* -- @snapper all 190 1 all -- @snapper all 190 1 584 -- @snapper all 30 3 584 -- @snapper all 5 1 869 -- @snapper all 30 1 584 -- @snapper ash 5 1 144 -- @snapper ash=sql_id+event+wait_class+blocking_session+p2+p3 5 1 144 -- @snapper ash 5 1 156 -- @snapper ash 190  1 all -- @snapper ash 5 1 all -- @snapper ash=sid+event+wait_class 5 1 all -- @snapper ash=sid+event+wait_class,ash1=plsql_object_id+plsql_subprogram_id+sql_id 5 1 all -- @snapper ash=sid+event+wait_class,ash1=plsql_object_id+plsql_subprogram_id+sql_id,ash2=program+module+action 5 1 all -- @snapper ash=event+wait_class,stats,gather=ts,tinclude=CPU,sinclude=parse 5 1 all -- @snapper ash=sid+event+wait_class,ash1=sid+sqlid+module,stats,gather...
Read more

Oracle Materialized View In-Depth and Materialized View refresh issues in 19c

   We    had  situation demanding  tuning of  MV  refresh and  options  like  TUNE_MVIEW  and Atomic_Refresh was explored . Hence  Documenting materialized view sample commands  and views in this  blog .     After migration if we are  facing slowness  in  Materialized View refresh , we can explore to re-create  Materialized View   Since  main topic for this blog   was MV issues  in 19c ,  posting that topic   first in line below  We also   have Real-Time Materialized Views  to explore .  To Note :  1) We can  create Mv  on ON PREBUILT TABLE  2) We can create Index on Mv  3) We can  gather stats on mv  just like other table .  4) Mv can be REFRESH_MODE ON COMMIT / REFRESH ON DEMAND. 5) Mv  REFRESH_METHOD can be  Complete / FAST or FORCE . A FORCE attempts a FAST...
Read more