Configuring the Oracle Server Database

This section explains how to configure the Oracle Server database.

Export Oracle Variables

On the Oracle Server, export the Oracle variables as follows:

export ORACLE_SID=orcl
export ORACLE_BASE=/opt/oracle
export ORACLE_HOME=$ORACLE_BASE/product/<oracle_db_version>/dbhome_1
export PATH=$PATH:$ORACLE_HOME/bin
export TNS_ADMIN=$ORACLE_HOME/network/admin

Where ORACLE_BASE is the Oracle installation directory. This is usually /opt/oracle or /u01/app/oracle.

Link pkcs11 library

To configure the Oracle PKCS#11 library folder to use the Entrust KeyControl PKCS#11 API.

On the Oracle Server, create the following directory path for the Entrust API library as the oracle user. Configure ownership and permissions on the directory as: owner=oracle; group=oinstall; permissions=775.

sudo chown -R oracle:oinstall /opt/oracle/
sudo chmod -R 775 /opt/oracle/
mkdir -p /opt/oracle/extapi/64/hsm/entrust
chown oracle:oinstall /opt/oracle/extapi/64/hsm/entrust
chmod 775 /opt/oracle/extapi/64/hsm/entrust

Link the PKCS#11 library into the directory as the oracle user.

ln -s /opt/hcs/lib/libpkcs11.so /opt/oracle/extapi/64/hsm/entrust/libpkcs11.so

Important: The link must be created in /opt/oracle/extapi/64/hsm/entrust/libpkcs11.so or the connection between the Oracle DB and KeyControl will not work.

Handling Timeout issues

If you expect network latency in the communication channel between Entrust KeyControl and Oracle Server, increase the fault tolerance of the database by setting the below as sysdba.
```
ALTER SYSTEM SET "_heartbeat_period_multiplier"=<N> SCOPE=SPFILE;
ALTER SYSTEM SET "_heartbeat_config"=AUTOCONNECT SCOPE=SPFILE;
```
Oracle Event 28420 determines the number of HSM heartbeats that can fail before the Oracle wallet is closed. Because the HSM heartbeat fires every 3 seconds, a very short network outage may result in wallet closure. Similarly, if a session is left idle for a period of approximately 15 minutes, HSM heartbeats can stop, and the Oracle wallet is closed. Therefore, Entrust recommends increasing the number of possible HSM heartbeat failures before the wallet closes. To make this a default setting execute
```
ALTER SYSTEM SET EVENT='28420 trace name context <quantity> level <timeout_count>' COMMENT='HSM heartbeat attempts' SCOPE=SPFILE;
```

Set WALLET ROOT

Set the Oracle wallet location. Even though the HSM Wallet does not reside on a local disk, this step is required for TDE.

startup;
ALTER SYSTEM SET WALLET_ROOT="/opt/oracle/admin/orcl/wallet" scope=spfile;
shutdown immediate;
startup;

Set Hardware Keystore Type

Set the wallet type to HSM.

startup;
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM" scope=both;
shutdown immediate;
startup;

Show wallet and keystore parameters

show parameter wallet
show parameter tde

Configure Oracle to generate the master encryption key

Grant the ADMINISTER KEY MANAGEMENT privilege to SYSTEM and any additional users that require access.
```
GRANT ADMINISTER KEY MANAGEMENT TO SYSTEM;
commit;
exit;
```
Connect to the database as System user.
```
$ sqlplus / as system
```
Or from within sqlplus command.
```
connect / as system/<password>
```

Open the HSM keystore.

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "file:/opt/oracle/entrust/orcl.conf" CONTAINER = ALL;

Show keystore state.

select CON_ID,WRL_TYPE,STATUS from V$ENCRYPTION_WALLET;

Generate the master encryption key

Create a TDE master encryption key that is stored inside the Entrust KeyControl. Oracle Database uses the TDE master encryption key to encrypt or decrypt TDE table keys and tablespace keys.

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "file:/opt/oracle/entrust/orcl.conf" CONTAINER = ALL;

This command performs two actions:

Create key in KeyControl.
Use the created key in Oracle as master encryption key.

Create the master encryption key for later use

The CREATE KEY clause of the ADMINISTER KEY MANAGEMENT statement can create a TDE master encryption key which can be activated later.

ADMINISTER KEY MANAGEMENT CREATE KsEY IDENTIFIED BY "file:/opt/oracle/entrust/orcl.conf" CONTAINER = ALL;

Use pre-created master encryption key

List all encryption keys.

SELECT KEY_ID,KEY_USE FROM V$ENCRYPTION_KEYS;

Use the key from this list.

ADMINISTER KEY MANAGEMENT USE KEY 'key_identifier' IDENTIFIED BY "file:/opt/oracle/entrust/orcl.conf" CONTAINER = ALL;

Identify KeyID in use

SELECT KEY_ID FROM V$ENCRYPTION_KEYS WHERE ACTIVATION_TIME = (SELECT MAX(ACTIVATION_TIME) FROM V$ENCRYPTION_KEYS WHERE ACTIVATING_DBID = (SELECT DBID FROM V$DATABASE));