Setting up Auto-Open for HSM Wallet | Utimaco Integration Guides

In order for the HSM Wallet to open automatically at the Oracle DB server start, an auto-open software wallet needs to be created, which has to contain the password and slot name of the HSM wallet.

This process describes the setup of auto login on the existing HSM wallet that was not upgraded by the Oracle Wallet software. For other scenarios, please see the Transparent Data Encryption Best Practices

Change the sqlnet.ora file.
Add a path to auto-login software wallet that will be created later in this process (METHOD DATA):

ENCRYPTION_WALLET_LOCATION=

(SOURCE =

(METHOD = HSM)

(METHOD_DATA =

(DIRECTORY = /u01/app/oracle/admin/orcl/hsmwallet)

)

Create a (local) auto-login wallet.

Local auto open wallets cannot be transferred to other devices.

›_ Console

# cd /u01/app/oracle/admin/orcl/ 

# mkdir hsmwallet 

# cd hsmwallet

Create the auto open option.

›_ Console

# orapki wallet create -wallet . -auto_login[_local]

Add the following entry to the empty wallets to enable an ‘auto-open’ HSM:

›_ Console

# mkstore -wrl . -createEntry ORACLE.TDE.HSM.AUTOLOGIN AnyText

Insert the HSM password and the slot name to auto open the wallet.
1. Close the connection to the HSM and open it with:

›_ Console

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "1234|LinuxOracle19c"; 

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "1234|LinuxOracle19c";

This will insert HSM_auth_string[|<slot_name>] into the auto-open wallet. From now on, no password is required to access _theencrypted data with the TDE master encryption key_, stored in _the HSM.

Restart the DB server.

›_ Console

SQL> shutdown immediate 

SQL> startup

Test if the HSM wallet is open.

›_ Console

SQL> CONNECT user2/Pwd01 

SQL> SELECT * FROM cust_payment_info

If data is returned, auto-open wallet was setup successfully.

If no data is in the table the test is not valid, since the wallet is not used!