Configuring Oracle Wallet for Multiple RAC Databases sharing same Oracle Home

1 ) Set the environment variable also via srvctl @ oracle user.

export ORACLE_UNQNAME=’$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}’

srvctl setenv database -d secdev -T “ORACLE_UNQNAME=secdev”

2) Create wallet directory on both nodes @ oracle user.

mkdir -p /u01/app/oracle/WALLETS/secdev

3) Configure sqlnet.ora as follows on both nodes @ oracle user.

If the databases share the same ORACLE_HOME, they also share the same sqlnet.ora file in $TNS_ADMIN. In order to access their individual wallet, the DIRECTORY entry for the ENCRYPTION_WALLET_LOCATION needs to point each database to its own wallet location:

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/WALLETS/$ORACLE_UNQNAME/)))

The names of the subdirectories under /u01/app/oracle/WALLETS/  reflect the ORACLE_UNQNAME names of the individual databases. That’s why we created the directory ‘secdev’ in step 2. For each Database unique name, create one directory.

4) Create the wallet by using node1 login @ oracle user.

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY “*******”;

5) Open wallet by using node1 login @ oracle user.

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY “welcome1”;

6) To configure auto login for wallet by using both nodes login @ oracle user.

orapki wallet create -wallet /u01/app/oracle/WALLETS/secdev -auto_login

7) copy the below files to node2 @ oracle user.

scp ewallet.p12  node2host:/u01/app/oracle/WALLETS/secdev
8) Change permissions on directory and files in both nodes @ oracle user.

cd /u01/app/oracle/WALLETS
chmod 700 secdev
cd secdev
chmod 600 ewallet.p12

9) After initially creating the encryption wallet (and optionally a (local) auto-open wallet), navigate to the directory that stores the Oracle Wallet and set the ‘immutable’ bit with: on both nodes @ root user.

# chattr +i ewallet.p12
# chattr +i cwallet.sso
10. You can have different wallets for different databases, all we have to do this create the directories for the unique name of databases and set the environment using srvctl utlity
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /orabin/app/oracle/WALLETS/$ORACLE_UNQNAME/)))

srvctl setenv database -d testdb -T “ORACLE_UNQNAME=testdb”

srvctl setenv database -d ftestdb -T “ORACLE_UNQNAME=ftestdb”

mkdir -p /u01/app/oracle/WALLETS/testdb

mkdir -p /u01/app/oracle/WALLETS/ftestdb

And for the other databases  proceed as above steps

Link to Oracle Whitepaper for best practises for TDE

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s