Re: Transparent Data Encryption

EdStevens schrieb:
> Oracle 10.2 on both Solaris and Win2k3
>
> Digging through the Advanced Security Administrator's Guide, trying to
> set up a simple, easy to administer Transparent Data Encryption
> environment. Also reading MetaLink bulletin 317311.1.
>
> I used ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY .... to create a
> wallet in a default location, but I also see the comment that the
> wallet has to be manually opened every time the db is restarted. The
> Guide also talks about using wallets with automatic logon enabled,
> which remain open all the time. When trying to chase that down
> earlier, I got wadded up in discussions of certificates and other
> esoterica. Now, going back thru the chapter on Using Wallet Manager,
> I'm not so sure. But trying to step thru Wallet Manager, I made some
> other discovories.
>
> Having earlier created a wallet and encrypted a few columns from
> sqlplus, I already have, as expected, a wallet file ewallet.p12 in
> ORACL_HOME\admin\<sid>\wallet. Pure default, nothing in sqlnet.ora to
> direct this. Now, when I open Wallet Manager on this box, it doesn't
> show the existing wallet and, further, if I start down the path of
> creating a wallet, WM tells me the default directory doesn't exist.
> There is nothing on this db that is currently encrypted, so I have
> nothing to lose by creating a new wallet if need be.
>
> So, in the end, I have two questions:
>
> 1) Why does WM not recognize that I have an existing wallet, nor does
> it recognize that I have an existing default wallet directory?
>
> 2) Is there a SIMPLE way to set up TDE so that the wallet does NOT have
> to be manually opened after db restart? Is this going to require me to
> get into certificates .... yet another (for me) unexplored area?
>
> Thanks.
>

The default location for TDE wallet is
$ORACLE_BASE/admin/$ORACLE_SID/wallet.
Oracle Wallet Manager expected wallets to be more systemwide - and the default directory is systemdependent, it thinks to manage wallets on per os user basis. On my Linux box for example it is /etc/ORACLE/WALLET/$id ( in my particular case $id = oracle ). To ensure wallet is open at the database start you can make an autologin wallet by opening your with OWM your TDE wallet , then choose the auto login checkbox. This creates the file cwallet.sso in the same directory as the initial wallet. Another option is - use the orapki utility, the syntax is: orapki wallet create -wallet wallet_location [-auto_login]

       The -wallet parameter specifies a location for the new wallet or the location of the wallet for which you want to turn on auto login.

       The -auto_login parameter creates an auto login wallet, or it turns on automatic login for the wallet specified with the -wallet option.

One gotcha (at least for me) is to specify the password at the creation time of wallet in doublequotes, in this case it will be case sensitive, if you omit the doublequotes and use lower/mixed case, then the resulting password will be uppercase.

By opening wallet in OWM you may see, that wallet is empty, this is correct, by 'ALTER SYSTEM SET ENCRYPTION KEY' you create indeed an empty wallet, however you can always add your certificate either with orapki or with OWM.

Best regards

Maxim Received on Tue May 02 2006 - 12:08:54 CDT