Tuesday, July 17, 2012

ORACLE WALLET

The Oracle Wallet is used to store the key for Transparent Data Encryption (TDE).  TDE is part of the Oracle Advanced Security Option (ASO).  TDE supports encryption of data in a column or encryption of the data in a tablespace.  TDE encryption requires an Oracle Wallet which stores the master encryption key.

Configuring Oracle Wallet 
(Environment: Oracle RDBMS 10.2,11.1,11.2 on RHEL5 and above).

SQLNET.ORA
If the default location is not used, a sqlnet.ora file should be created in the $ORACLE_HOME/network/admin directory.  The following information should be added to the sqlnet.ora file:
ENCRYPTION_WALLET_LOCATION  =
      (SOURCE =  (METHOD = FILE)
       (METHOD_DATA = (DIRECTORY= <location of the wallet files>)))
The preferred location is the default.  The default is:
      $ORACLE_BASE/admin/<db_unique_name>/wallet. 

DIRECTORY STRUCTURE
The location of the wallet will be $ORACLE_BASE/admin/<db_unique_name>/wallet.  For example:  /u01/app/oracle/admin/SECUREDB.  If the directory does not exist, it must be precreated.  The ownership must be set to oracle:oinstall with the permissions of 700.  Permissions of 700 will only allow read, write and execute by oracle.  Wallets will be backed up using the standard Operating System backup.  Wallets are not backed up with rman.

CREATION OF THE WALLET (EWALLET.P12 FILE)
Login to database as sysdba and issue the following command:
      alter system set encryption key identified by “password”;
Substitute the wallet key for  <password>.  The password must be enclosed in double quotes.  Failing to use double quotes will result in a password that is all upper case. A file named ewallet.p12 is created in the $ORACLE_BASE/admin/<db_unique_name>/wallet directory. Permissions on the file must be set to 700.
If the wallet is not set to auto open,  the following command is required when the database is opened:
      alter system set encryption wallet open identified by “<password>”

CREATION OF AUTO-OPEN WALLET (CWALLET.SSO FILE)
That will allow the wallet to open automatically after startup.  The wallet will open the first time an encrypted column (or tablespace) is accessed. After creating the wallet file, use the orapki utility to create the auto-open wallet file that is associated with the ewallet.p12 file.  Use the following command syntax:
orapki wallet create –wallet $ORACLE_BASE/admin/<db_unique_name>/wallet –auto_login
When prompted, provide the wallet password.  This will create a second wallet file named cwallet.sso in the $ORACLE_BASE/admin/<db_unique_name>/wallet directory.   Permissions should be set to 600 which allows read and write by oracle only.

WALLET FILES IN A GRID
For a Grid environment, both the ewallet.p12 and the cwallet.sso must be copied (use scp) to the same directory on each server in the grid.
The backup can be done on only one server; but, the preference is to have separate backup on each server. 

VERIFICATION
After the wallet files are created, verify the wallet status is “OPEN”.  Use the following query:
      select * from v$encryption_wallet
This command will provide the WRL_TYPE (file), the WRL_PARAMETER (directory where the files are located) and STATUS (OPEN or CLOSED).  If no wallet is configured, the status is CLOSED.  If the wallet is configured; but, not available,  the status will be CLOSED.  If the wallet is available and ready to be used,  the STATUS is OPEN.
Posted by at
Labels:

1 comment:

  1. AnonymousOctober 11, 2013 at 8:08 AM

    finally a good answer, whether this operating wallet. well and many thanks.

    Darlio González L.

    ReplyDelete

Subscribe to: Post Comments (Atom)