Oracle TDE 11g on RAC with Auto Login for the Wallet

Oracle Transparent Data Encryption using Oracle Wallet

If you wish to use a wallet specifically for TDE, then you must specify a wallet location in the sqlnet.ora file by using the ENCRYPTION_WALLET_LOCATION parameter. Oracle recommends that you use ENCRYPTION_WALLET_LOCATION parameter to specify a wallet location for TDE.

ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u02/app/oracle/admin/swxdev/wallet)
)
)

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u02/app/oracle/admin/swxdev/wallet
OPEN

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "***";

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "***";

SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "****";

-- Modify Wallet for Auto-Login --

orapki wallet create -wallet /u02/app/oracle/admin/swxdev/wallet -auto_login

CREATE BIGFILE TABLESPACE SWX_ENCRYPTED DATAFILE
'+DATAC1' SIZE 25G AUTOEXTEND ON NEXT 250M MAXSIZE 33554431M
LOGGING
ONLINE
EXTENT MANAGEMENT LOCAL AUTOALLOCATE
BLOCKSIZE 8K
SEGMENT SPACE MANAGEMENT AUTO
encryption using 'AES256'
default storage (encrypt);

SELECT * FROM V$ENCRYPTED_TABLESPACES;

— Change Wallet Location to ACFS, has to be done in RAC where the Wallet files needs to be on a Shared Cluster File System —

1. Copy wallet files to new location

cp -p /u02/app/oracle/admin/swxdev/wallet/* /ACFS/wallet

2. Go to the sqlnet.ora file where ENCRYPTION_WALLET_LOCATION  location is defined. Change to new path /ACFS/wallet

ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /ACFS/wallet)
)
)


3. Run orapki utility to modify the wallet location for auto-login

orapki wallet create -wallet /ACFS/wallet -auto_login

4. Bounce the databases for which the encryption wallet has been set

— Add Wallet to RAC Database —

If you check the 2nd instance, you can see the wallet is closed on 2nd node and the location points to the default location

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u02/app/oracle/admin/swxtst/wallet
CLOSED

1. Since we have already moved the Encryption wallet to the ACFS shared file system, we have to copy the sqlnet.ora file from Node1 to

Node 2

scp -r /u02/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora

oracle@exatestdbadm02:/u02/app/oracle/product/11.2.0/dbhome_1/network/admin/

2. Now check the Instance on Node 2

SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/ACFS/wallet
OPEN

And you can now see the wallet is open.