Breadcrumbs

Configure Oracle Advanced Security TDE with SafeGuard CryptoServer

This chapter demonstrates the integration of Oracle Database 11g (Release 2) TDE with SafeGuard CryptoServer solution. It provides examples for column and tablespace encryption with HSM. If you already initialized the Oracle Wallet, follow the instructions of the last chapter to migrate from Oracle Wallet to HSM. Consider that it won't be possible (in Oracle Database 11.1.0.7) to migrate the tablespace master key to HSM after the Oracle Wallet has already been initialized.

First initialize a PKCS#11 slot.

  1. Navigate with the explorer to the directory of the SafeGuard SecurityServer software installation and go into the PKCS#11 library directory (\Program Files\Utimaco\SafeGuard CryptoServer\Lib)

  2. Open the file cs2_pkcs11.ini with double-click.

  3. Double check that the parameter device points to your SafeGuard CryptoServer hardware, e.g. PCI:0 for a pci card or 192.168.0.140 for a CryptoServer LAN appliance

  4. Save your changes, see also chapter 3.1.

  5. Check if the current PKCS#11 environment variable CS2_PKCS11_INI (CS_PKCS11_R2_CFG PKCS#11 R2) points to the edited PKCS#11 configuration file cs2_pkcs11.ini (cs_pkcs_R2.cfg PKCS#11 R2) file. If the variable does not exist, create it.

  6. Open a command line shell. (Start -> Run -> cmd.exe)

  7. Check if you can connect to the SafeGuard CryptoServer using p11tool respectively p11tool2:

PKCS#11

p11tool ListSlots

PKCS#11 R2

p11tool2 ListSlots

8. Initialize the PKCS#11 slot 0 (you can use p11tool or the SafeGuard CryptoServerAdministration Tool (CAT) for the initialization):

PKCS#11

p11tool slot=0 InitToken=<SO_pin>

p11tool slot=0 LoginSO=<SO_pin> InitPin=<HSM_passphrase>

PKCS#11 R2

p11tool2 slot=0 \

Login=<Administrative user,AuthenticationToken> \

InitToken=<SO_pin>

p11tool2 slot=0 LoginSO=<SO_pin> InitPin=<HSM_passphrase>


To test the Oracle Database11g (Release 2) TDE with the SafeGuard CryptoServer:

  1. Copy the PKCS#11 library cs2_pkcs11.dll (\Program Files\Utimaco\SafeGuard CryproServer\Lib) to %SYSTEM_DRIVE%\oracle\extapi\[32,64]\hsm\Utimaco\<version>\).

For example:

C:\oracle\extapi\32\hsm\Utimaco\1.00.00\cs2_pkcs11.dll

You will have to create the directory manually first.

  1. Add the following line to the file %TNS_ADMIN%\sqlnet.ora:

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM))

  1. Open an SQL Plus session (Start > Programs > Oracle > OraDB11g_home1 > Application Development > SQL Plus).

  2. Connect to your database as system:

SQL> connect system/password

  1. Create the master key. It is added into HSM automatically. The double quotes are mandatory:

SQL> alter system set encryption key identified by <HSM_passphrase>;

where HSM_passphrase is the passphrase of the PKCS#11 user which has been given at the initialization of the PKCS#11 slot. You can check all operations performed by HSM by watching the logs located at c:\tmp\cs2_pkcs11.log. For this purpose set the log level to 15 in cs2_pkcs11.ini (don't keep it this way because of performance loss; delete the log file afterwards) and set the log path to c:\temp.

  1. Encrypt the credit_limit column of the CUSTOMERS table which is owned by the user OE:

SQL> alter table oe.customers modify (credit_limit encrypt);

  1. With the next command, these values listed in the encrypted column are returned in clear text:

SQL> select credit_limit from oe.customers where rownum < 15;

Transparent Data Encryption decrypts them automatically using keys which are encrypted by the master key stored in HSM.

  1. This command lists the encrypted columns in your database:

SQL> select * from dba_encrypted_columns;

  1. This view contains information about the wallet:

SQL> select * from v$encryption_wallet;

  1. Now test re-keying of the master encryption key in HSM and check column encryption one more time:

SQL> alter system set encryption key identified by <HSM_passphrase>;

Verify that a new master encryption key is created in HSM by watching the PKCS#11 logfile.

  1. The encryption key for the individual table OE.CUSTOMERS is now encrypted with the new master key:

SQL> select credit_limit from oe.customers where rownum < 15;

  1. Finally create an encrypted tablespace using HSM:

SQL> CREATE TABLESPACE securespace1

DATAFILE 'C:\app\Administrator\oradata\orcl\secure01.dbf'

SIZE 10M ENCRYPTION DEFAULT STORAGE(ENCRYPT);

  1. Check if the new tablespace is listed and marked as encrypted:

SQL> select tablespace_name, encrypted from dba_tablespaces;

  1. Remove the master key from the database memory:

SQL> alter system set encryption wallet close;

In Oracle Database 11g Release 2, the command to close the wallet has been changed to:

SQL> alter system set encryption wallet close identified by <your wallet password>;

  1. And try listing encrypted data again which shouldn't work this time:

SQL> select credit_limit from oe.customers where rownum < 15; fails because no access to master key

  1. Exit from your SQL*Plus session:

SQL> exit

For more information, see the Oracle Database 11g Release 2 TDE documentation available at http://www.oracle.com.