Configuring Oracle Wallet for Multiple RAC Databases sharing same Oracle Home

1 ) Set the environment variable also via srvctl @ oracle user.

export ORACLE_UNQNAME='$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}'
srvctl setenv database -d secdev -T "ORACLE_UNQNAME=secdev"

2) Create wallet directory on both nodes @ oracle user.

mkdir -p /u01/app/oracle/WALLETS/secdev

3) Configure sqlnet.ora as follows on both nodes @ oracle user.
If the databases share the same ORACLE_HOME, they also share the same sqlnet.ora file in $TNS_ADMIN. In order to access their individual wallet, the DIRECTORY entry for the ENCRYPTION_WALLET_LOCATION needs to point each database to its own wallet location:

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/WALLETS/$ORACLE_UNQNAME/)))

The names of the subdirectories under /u01/app/oracle/WALLETS/  reflect the ORACLE_UNQNAME names of the individual databases. That’s why we created the directory ‘secdev’ in step 2. For each Database unique name, create one directory.

4) Create the wallet by using node1 login @ oracle user.

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "*******";

5) Open wallet by using node1 login @ oracle user.

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";

6) To configure auto login for wallet by using both nodes login @ oracle user.

orapki wallet create -wallet /u01/app/oracle/WALLETS/secdev -auto_login

7) copy the below files to node2 @ oracle user.

scp ewallet.p12  node2host:/u01/app/oracle/WALLETS/secdev

8) Change permissions on directory and files in both nodes @ oracle user.

cd /u01/app/oracle/WALLETS
chmod 700 secdev
cd secdev
chmod 600 ewallet.p12

9) After initially creating the encryption wallet (and optionally a (local) auto-open wallet), navigate to the directory that stores the Oracle Wallet and set the ‘immutable’ bit with: on both nodes @ root user.

# chattr +i ewallet.p12
# chattr +i cwallet.sso

10. You can have different wallets for different databases, all we have to do this create the directories for the unique name of databases and set the environment using srvctl utlity

ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /orabin/app/oracle/WALLETS/$ORACLE_UNQNAME/)))
srvctl setenv database -d testdb -T "ORACLE_UNQNAME=testdb"
srvctl setenv database -d ftestdb -T "ORACLE_UNQNAME=ftestdb"
mkdir -p /u01/app/oracle/WALLETS/testdb
mkdir -p /u01/app/oracle/WALLETS/ftestdb

And for the other databases  proceed as above steps
Link to Oracle Whitepaper for best practises for TDE
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

Category: DatabaseUncategorized

Tags:

One comment

Leave a Reply

Article by: Shadab Mohammad