Breadcrumbs

Configure Auto-login for Hardware Keystore

The auto login feature for wallets does not require human intervention to supply the necessary passwords it can enable PKI-based access to services. Enabling auto login creates an obfuscated copy of the wallet, which is then used automatically until the auto login feature is disabled for that wallet.

By Default, auto login feature is disabled. You must enable auto login if you want single signon access to multiple Oracle databases. When auto login is enabled then .sso file gets created under wallet directory.

  1. Close the Hardware Keystore if it is opened.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY <hsm_password>;

  1. Set the WALLET_ROOT parameter.

›_ sqlplus console 

SQL> connect / as sysdba  

SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile

  1. Shut down and start up database.

›_ sqlplus console 

SQL> shutdown immediate; 

SQL> startup;

  1. Set the TDE_CONFIGURATION parameter.

›_ sqlplus console 

SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;

  1. Create the software keystore.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY <software_keystore_password>;

Skip this step if software keystore already exist.

  1. Open the Software Keystore.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <software_keystore_password>;

  1. Add HSM password as a client to the Software Keystore.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT ADD SECRET '<hsm_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY <software_keystore_password> WITH BACKUP;

  1. Close the Software Keystore.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY <software_keystore_password>;

  1. Create Auto-Login keystore.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY <software_keystore_password>;

  1. Set TDE_CONFIGURATION parameter.

›_ sqlplus console 

SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" SCOPE=both;

  1. At this stage, close the database and open it one more time and the next time when a TDE operation executes, the hardware security module auto-login keystore opens automatically.

›_ sqlplus console 

SQL> shutdown immediate; 

SQL> startup;

  1. Check the status of the wallet.

›_ sqlplus console 

SQL> select * from V$ENCRYPTION_WALLET;

Now you have a software wallet that contains the HSM password. And the software wallet password is protected by Oracles auto-login feature.