Breadcrumbs

Configure TDE with Pluggable DB

There are several ways to create a PDB, but we recommend using the DBCA utility. It is assumed that you have already created PDBs.

While performing this integration we have used Linux path in the SQL commands, change the path according to the appropriate operating system.

For the purpose of this guide, we are using the PDB "utimacopdb".

  1. Edit the tnsnames.ora file to add a new service for the PDB. By default, the tnsnames.ora file is in the $ORACLE_HOME/network/admin directory or in the location set by the TNS_ADMIN environment variable. Ensure that you have properly set the TNS_ADMIN environment variable to point to the correct tnsnames.ora file.

›_ console 

UTIMACOPDB =  

(DESCRIPTION =  

 (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))  

  (CONNECT_DATA =  

   (SERVER = DEDICATED)  

   (SERVICE_NAME = utimacopdb.localdomain)  

)  

)

  1. Restart the Listener Service.

›_ console 

#lsnrctl stop 

#lsnrctl start 

#lsnrctl status

  1. Log in to the database instance as a user who has been granted the SYSDBA administrative privilege.

›_ sqlplus console 

SQL> connect system/<password>

  1. Set the WALLET_ROOT parameter.

›_ sqlplus console 

SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;

  1. Shutdown and startup database.

›_ sqlplus console 

SQL> shutdown immediate;  

SQL> startup;

  1. Set the TDE_CONFIGURATION parameter.

›_ sqlplus console 

SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both ;

  1. Open the hardware keystore in the CDB$ROOT container.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <hsm_password>;

  1. Set the master encryption key in the CDB$ROOT container onto HSM. Skip this step if the master encryption key is already generated onto HSM.

›_ sqlplus console 

SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY <hsm_password>;

  1. Connect as sysdba.

›_ sqlplus console 

SQL> connect / as sysdba

  1. Open the pdb in read write mode.

›_ sqlplus console 

SQL> alter pluggable database <PDB_NAME> open read write;

  1. Set the container to the pdb.

›_ sqlplus console 

SQL> alter session set container = <pdb_name>;

  1. Grant the following privileges to the PDB Admin.

›_ sqlplus console 

SQL> grant administer key management to <pdb_admin>;  

SQL> grant create session to <pdb_admin>;  

SQL> grant connect to <pdb_admin>;  

SQL> grant dba to <pdb_admin>;  

SQL> grant create any table to <pdb_admin>;  

SQL> grant unlimited tablespace to <pdb_admin>;  

SQL> alter user <pdb_admin> profile default;  SQL> commit;

  1. Connect to the PDB using the PDB username.

›_ sqlplus console 

SQL> Connect <pdb_admin>/<system_password>@<Pluggable Database Name>

  1. Run the ADMINISTER KEY MANAGEMENT SQL statement to open PDB database.

›_ sqlplus console 

SQL> administer key management set keystore open identified by "<hsm_password>";

  1. Create the PDB Master Key onto the HSM.

›_ sqlplus console 

SQL> administer key management set key identified by "<hsm_password>";