Breadcrumbs

Configuring Auto Login for the Hardware Keystore

The Auto Login feature for Oracle wallets allows password-free access, enabling PKI-based authentication to services without human intervention. When enabled, it generates an obfuscated copy of the wallet, which is automatically used until the feature is unavailable. By default, auto login is turned off. You must manually activate auto login to enable single sign-on (SSO) access across multiple Oracle databases. Once enabled, an .sso file is created in the wallet directory to facilitate seamless access.

  1. Close the Hardware Keystore if it is opened.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY <hsm_password>;

  1. Set the WALLET_ROOT parameter.

SQL
SQL> connect / as sysdba 
SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile

  1. Shut down and start up the database.

SQL
SQL> shutdown immediate; 
SQL> startup;

  1. Set the TDE_CONFIGURATION parameter.

SQL
SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=both;

  1. Create the Software Keystore.

SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY <software_keystore_password>;

  1. Open the Software Keystore.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <software_keystore_password>;

  1. Add the HSM password as a client to the Software Keystore.

SQL
SQL> ADMINISTER KEY MANAGEMENT ADD SECRET '<hsm_password>' FOR CLIENT 'HSM_PASSWORD' IDENTIFIED BY <software_keystore_password> WITH BACKUP;

  1. Close the Software Keystore.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY <software_keystore_password>;

  1. Create the Auto Login keystore.

SQL
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE IDENTIFIED BY <software_keystore_password>;

  1. Set the TDE_CONFIGURATION parameter.

SQL
SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE" SCOPE=both;

  1. At this stage, close the database and open it one more time. The next time a TDE operation executes, the hardware security module Auto Login keystore will open automatically.

SQL
SQL> shutdown immediate; 
SQL> startup;

  1. Check the status of the wallet.

SQL
SQL> select * from V$ENCRYPTION_WALLET;

Now, you have a software wallet that contains the HSM password, which is protected by Oracle's Auto Login feature.