Breadcrumbs

Configuring TDE with PDB using the HSM

While multiple methods are available to create a Pluggable Database (PDB), the recommended approach is to use the Database Configuration Assistant (DBCA) utility. This explanation assumes that the PDBs have already been created.

While performing this integration, we used Windows Server. The SQL commands use Windows-style paths; change the path according to the appropriate operating system. For the purpose of this guide, we are using the PDB "utimacopdb.”

  1. Edit the tnsnames.ora file to add a new service for the PDB. By default, the tnsnames.ora file in the location set by the TNS_ADMIN environment variable. Ensure you have correctly set the TNS_ADMIN environment variable to point to the correct tnsnames.ora file.

UTIMACOPDB = 
(DESCRIPTION = 
 (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) 
  (CONNECT_DATA = 
   (SERVER = DEDICATED) 
   (SERVICE_NAME = utimacopdb.localdomain) 
) 
)

  1. Restart the Listener Service.

#lsnrctl stop 
#lsnrctl start 
#lsnrctl status

  1. Log in to the database instance as a user granted the SYSDBA administrative privilege.

SQL
SQL> connect system/<password>

  1. Set the WALLET_ROOT parameter.

SQL
SQL> alter system set wallet_root='<path to the oracle wallet directory>' scope=spfile;

  1. Shut down and start up the database.

SQL
SQL> shutdown immediate; 
SQL> startup;

  1. Set the TDE_CONFIGURATION parameter.

SQL
SQL> alter system set TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" SCOPE=both ;

  1. Open the hardware keystore in the CDB$ROOT container.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <hsm_password>;

  1. Set the master encryption key in the CDB$ROOT container on the HSM. If the master encryption key has already been generated on the HSM, skip this step.

SQL
SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY <hsm_password>;

  1. Connect as sysdba.

SQL
SQL> connect / as sysdba

  1. Open the PDB in read-write mode.

SQL
SQL> alter pluggable database <PDB_NAME> open read write;

  1. Set the container to the PDB.

SQL
SQL> alter session set container = <pdb_name>;

  1. Grant the following privileges to the PDB Admin.

SQL
SQL> grant administer key management to <pdb_admin>; 
SQL> grant create session to <pdb_admin>; 
SQL> grant connect to <pdb_admin>; 
SQL> grant dba to <pdb_admin>; 
SQL> grant create any table to <pdb_admin>; 
SQL> grant unlimited tablespace to <pdb_admin>; 
SQL> alter user <pdb_admin> profile default; 
SQL> commit;

  1. Connect to the PDB using the PDB username.

SQL
SQL> Connect <pdb_admin>/<system_password>@<Pluggable Database Name>

  1. Run the ADMINISTER KEY MANAGEMENT SQL statement to open the PDB database.

SQL
SQL> administer key management set keystore open identified by "<hsm_password>";

  1. Create the PDB Master Key on the HSM.

SQL
SQL> administer key management set key identified by "<hsm_password>";