Monday, July 25, 2016

Setting up Transparent Data Encryption 12c


TransparentDataEncryption # 

Step 1: Setup a Keystore Location:
[admind@tnc63 admin]$ cat sqlnet.ora 
# sqlnet.ora Network Configuration File: /u01/app/admind/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)  
  
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/admind/product/12.1.0/dbhome_1/owm/install)))
#/u01/app/admind/product/12.1.0/dbhome_1/owm/install

Step 2: Create a Keystore:
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/admind/product/12.1.0/dbhome_1/owm/install' identified by oracle;
keystore altered.

Step 3: Open the Keystore:
We must manually open the Keystore, before any TDE Master encryption key can be created or accessed in the Keystore i.e. for the database to utilize TDE, the Keystore must be opened in the database

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle;
keystore altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE close identified by oracle;
keystore altered.

SQL> select * from V_$ENCRYPTION_WALLET;

ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/admind/product/12.1.0/dbhome_1/owm/install' IDENTIFIED BY oracle;

NOTE## Once, we enable the Auto-Login for the Keystore, we can see a new file 'cwallet.sso'

STEP4: ENCRYPTION KEY
TDE Master Encryption Key is stored in the Keystore. Once the Keystore is created and opened, we can create the TDE Master Encryption Key for the database.
For a CDB, we need to create the Master Encryption Key for the ROOT container (CDB$ROOT) as well as for each of the associated pluggable databases (PDBs), where we would like to enable Transparent Data Encryption. The Master encryption Key is automatically created and maintained by Oracle database.

sql> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle with backup;
keystore altered.

sql> select CON_ID,KEY_ID,KEYSTORE_TYPE,CREATOR_DBNAME,CREATOR_PDBNAME from v$encryption_keys;

SQL> select name from v$pdbs;  
NAME
------------------------------
PDB$SEED
NSPDBA

SQL> alter session set container=nspdba;
Session altered.

SQL> show con_name;
CON_NAME
---------------------------
NSPDBA

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle with backup;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle with backup
*
ERROR at line 1:
ORA-46658: keystore not open in the container


SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle;
keystore altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle with backup;
keystore altered.

--Nikhil Tatineni--
--Oracle TDE-12c--
By -

Querys to monitor RAC

following few  Query's will help to find out culprits-  Query to check long running transaction from last 8 hours  Col Sid Fo...

  • Skip transaction GoldenGate replicat 12c
    syntax for skipping transaction # ggsci> start replicat skiptransaction  GGSCI (red.gg.ora.com) 14> info all Program     St...
  • ORA-24324, ORA-24323, ORA-01090
    scenario # trying to startup / shutdown database encountered with following error # ORA-24324: service handle not initialized ORA-243...
  • ERROR OGG-01454
    Today GoldenGate Extract abended on Servers During my initial investigation,  goldengate error report says as follows  2016-02...