1 ) Set the environment variable also via srvctl @ oracle user.
export ORACLE_UNQNAME='$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}' srvctl setenv database -d secdev -T "ORACLE_UNQNAME=secdev"
2) Create wallet directory on both nodes @ oracle user.
mkdir -p /u01/app/oracle/WALLETS/secdev
3) Configure sqlnet.ora as follows on both nodes @ oracle user.
If the databases share the same ORACLE_HOME, they also share the same sqlnet.ora file in $TNS_ADMIN. In order to access their individual wallet, the DIRECTORY entry for the ENCRYPTION_WALLET_LOCATION needs to point each database to its own wallet location:
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/WALLETS/$ORACLE_UNQNAME/)))
The names of the subdirectories under /u01/app/oracle/WALLETS/ reflect the ORACLE_UNQNAME names of the individual databases. That’s why we created the directory ‘secdev’ in step 2. For each Database unique name, create one directory.
4) Create the wallet by using node1 login @ oracle user.
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "*******";
5) Open wallet by using node1 login @ oracle user.
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
6) To configure auto login for wallet by using both nodes login @ oracle user.
orapki wallet create -wallet /u01/app/oracle/WALLETS/secdev -auto_login
7) copy the below files to node2 @ oracle user.
scp ewallet.p12 node2host:/u01/app/oracle/WALLETS/secdev
8) Change permissions on directory and files in both nodes @ oracle user.
cd /u01/app/oracle/WALLETS chmod 700 secdev cd secdev chmod 600 ewallet.p12
9) After initially creating the encryption wallet (and optionally a (local) auto-open wallet), navigate to the directory that stores the Oracle Wallet and set the ‘immutable’ bit with: on both nodes @ root user.
# chattr +i ewallet.p12 # chattr +i cwallet.sso
10. You can have different wallets for different databases, all we have to do this create the directories for the unique name of databases and set the environment using srvctl utlity
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /orabin/app/oracle/WALLETS/$ORACLE_UNQNAME/))) srvctl setenv database -d testdb -T "ORACLE_UNQNAME=testdb" srvctl setenv database -d ftestdb -T "ORACLE_UNQNAME=ftestdb" mkdir -p /u01/app/oracle/WALLETS/testdb mkdir -p /u01/app/oracle/WALLETS/ftestdb
And for the other databases proceed as above steps
Link to Oracle Whitepaper for best practises for TDE
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf