Oracle Database 11g R2 TDE UNIX

www.thalesgroup.com/iss

nCipher ModulesIntegration Guide for Oracle Database 11gRelease 2 Transparent Data Encryption

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2 2

Version: 1.2

Date: 9 August 2011

Copyright 2011 Thales e-Security Limited. All rights reserved.

nShi

Nov

10Version: 1.2

Date: 09 August 2011

2011

Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified,adapted, published, translated in any material form (including storage in any medium by electronic meanswhether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the priorwritten permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for whichit is supplied.CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks ofThales e-Security Limited.CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra,nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited.All other trademarks are the property of the respective trademark holders.Information in this document is subject to change without notice.Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limitedto, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shallnot be liable for errors contained herein or for incidental or consequential damages concerned with thefurnishing, performance or use of this material.These installation instructions are intended to provide step-by-step instructions for installing Thales softwarewith third-party software. These instructions do not cover all situations and are intended as a supplement to thedocumentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilitiesregarding third-party products and only provides warranties and liabilities with its own products as addressedin the Terms and Conditions for Sale.


Contents

Chapter 1: Introduction 4

Supported nCipher functionality 5

Requirements 5

Chapter 2: Procedures 7

Installing Oracle Database 11g Release 2 7

Installing the HSM 8

Installing the support software and configuring the HSM 8

Configuring Oracle Database 11g TDE to use the HSM 9

Chapter 3: Troubleshooting 14

Addresses 15


Chapter 1: Introduction

This guide explains how to integrate Oracle Database 11g Release 2 Transparent Data Encryption (TDE) with a Thales nCipher Hardware Security Module (HSM). The instructions in this document have been thoroughly tested and provide a straight-forward integration process. There may be other untested ways to achieve interoperability.

This document may not cover every step in the process of setting up all the software. This document assumes that you have read your HSM documentation and that you are familiar with the documentation and setup process for Oracle Database 11g Release 2 TDE. For more information about using Oracle Database 11g Release 2 TDE, see: http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asotrans.htm#ASOAG600

Oracle Database 11g Release 2 TDE transparently encrypts data that is stored in the Oracle database, without requiring any changes to the application that runs on top of the database. It supports both TDE tablespace encryption and TDE column encryption. The HSM secures the unified TDE master encryption key, which is used to encrypt and decrypt the tablespace keys for encrypted tablespaces, and table keys for encrypted application table columns. The HSM is used in place of the Oracle Wallet to provide a higher level of security assurance, including:

• Centralized storage and management of the master encryption key(s).

• Full life cycle management of the master encryption key(s).

• Highest level of security assurance, the keys never leave the HSM as plain text.

• FIPS 140-2 level 3 validated hardware.

• Failover support.

Depending on your current Oracle setup, you can use this document to either:

• Create and start using a new HSM-protected wallet (if you are not using an Oracle Wallet).

• Migrate from an existing Oracle Wallet to an HSM-protected wallet.

The Oracle Wallet can be the default database wallet shared with the other components of the Oracle database or a separate wallet specifically used by TDE. When using Oracle TDE, Oracle recommends that you use a separate wallet to store the master encryption key. See the Oracle documentation for more information.


Supported nCipher functionality

The integration between the HSM and TDE uses the PKCS #11 cryptographic API. The integration has been successfully tested in the following configurations:

Additional documentation produced to support your Thales nCipher product can be found in the document directory of the CD-ROM or DVD-ROM for that product.

Note Throughout this guide, the term HSM refers to nShield Solo modules, netHSM, and nShield Connect products. (nShield Solo products were formerly known as nShield.)

Supported nCipher functionality

Requirements

Before you begin the integration process:

• Read the Quick Start Guide or User Guide for your HSM.

• Familiarize yourself with the setup procedures for Oracle Database 11g Release 2 TDE.

Before running the setup program, you need to know:

• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.

• Whether the application keys are to be protected by the module, softcard or Operator Card Set (OCS).

• The number and quorum of Operator Cards in the OCS (only 1 of N is supported), and the policy for managing these cards.

Operating system Thales nCipher software version

Oracle Database version

nShield Solo support

netHSM support

nShield Connect support

Red Hat Enterprise Linux 5 11.50 11.2.0.2.0 Yes - Yes

Red Hat Enterprise Linux 5 11.40 11.2.0.1.0 Yes Yes Yes

Solaris 10 for SPARC systems 11.40 11.2.0.1.0 Yes Yes Yes

IBM AIX 5.3 11.40 11.2.0.1.0 Yes Yes Yes

IBM AIX 6.1 11.40 11.2.0.1.0 Yes Yes Yes

Key Generation Yes 1-of-N Operator Card Set Yes Strict FIPS Support Yes

Key Management Yes K-of-N Operator Card Set — Load Sharing Yes

Key Import — Softcards Yes Fail Over Yes

Key Recovery Yes Module-only Key Yes


Requirements

• Whether the security world needs to be compliant with FIPS 140-2 level 3.

This integration requires Oracle Database 11g Release 2 (11.2.0.1.0 or 11.2.0.2.0) to be installed with the following Oracle patches applied:

Patch 9229896 for 11.2.0.1.0.10098816 for 11.2.0.2.0.

Unique patch ID 12118360 for 11.2.0.1.0.1123404322 for 11.2.0.2.0.

Bugs fixed 8909973: TDE cannot support multi-token HSMs.9034189: TDE with HSM race condition.


Chapter 2: Procedures

To integrate Oracle Database 11g Release 2 TDE with an HSM:

1 Install Oracle Database 11g Release 2 and apply patch.

2 Install the HSM.

3 Install the nCipher software and configure the HSM.

4 Configure Oracle Database 11g Release 2 TDE to use the HSM.

All these procedures are described in the following sections.

Installing Oracle Database 11g Release 2

To install Oracle Database 11g Release 2:

1 Download and unzip the appropriate Oracle distribution for your operating system.

2 Set environment variables ORACLE_BASE, ORACLE_HOME, PATH, TNS_ADMIN and ORACLE_SID according to your environment, for example:

ORACLE_SID=<database_name>; export ORACLE_SID;ORACLE_BASE=/home/oracle/app; export ORACLE_BASE;ORACLE_HOME=$ORACLE_BASE/product/11.2.0/dbhome_1; export ORACLE_HOME;PATH=$PATH:$ORACLE_HOME/bin; export PATH;TNS_ADMIN=$ORACLE_HOME/network/admin; export TNS_ADMIN;

Note Ensure that ORACLE_SID is at least eight alphanumeric characters long.

3 Ensure that the prerequisite configuration is complete according to Oracle documentation at: http://www.oracle.com/pls/db112/portal.portal_db?selected=11&frame=

4 Navigate to the installation folder and execute ./runInstaller to start the installation process and install the database software only.


Installing the HSM

5 Download and unzip patch 9229896 or 10098816 for the appropriate distribution and refer to the readme.txt file to use OPatch to install the patch. Run opatch lsinventory to verify the patch afterwards.

6 Run dbca to create a database and select the option to add the sample schemas on step 8 of the dbca wizard. When asked for the ORACLE_SID, use the one you specified in step 2.

The sample schemas and user accounts are used to test TDE with an HSM.

Installing the HSM

Install the HSM using the instructions in the documentation for the HSM. We recommend that you install the HSM before configuring the nCipher software.

Installing the support software and configuring the HSM

To install the Thales nCipher support software and configure the HSM:

1 Install the latest version of the support software and create a security world as described in the User Guide for the HSM.

Note We recommend that you uninstall any existing Thales nCipher software before installing the new software.

2 Create or edit the cknfastrc file located in the /opt/nfast directory, and depending on how you want to protect the master encryption key, set one of the following environment variables:

- OCS or softcard key protection:

CKNFAST_LOADSHARING=1

- Module-only key protection:

CKNFAST_FAKE_ACCELERATOR_LOGIN=1

For more information, see the PKCS #11 library environment variables in the User Guide for the HSM.

3 Initialize a security world.


Configuring Oracle Database 11g TDE to use the HSM

4 For OCS protection, create a 1 of N card set, following the instructions in the User Guide for the HSM.

Ensure that your Operator Card or softcard pass phrase has a minimum of eight alphanumeric characters. You must create a softcard for softcard protection; see the User Guide for the HSM for more information.


To configure Oracle Database 11g Release 2 TDE to use the HSM:

1 Copy the PKCS #11 library located at /opt/nfast/toolkits/pkcs11/libcknfast-64.so (or libcknfast.so depending on your OS architecture) to one of the following locations:

Ensure that the directory exists and that oracle:oinstall is the owner:group of the directory with read and write access.

2 Add the oracle user to group nfast. You can verify this addition by looking at the entry for the nfast group in /etc/group.

3 In the $TNS_ADMIN/sqlnet.ora file add or edit the following lines, depending on whether you are migrating from an Oracle Wallet:

4 Log into the database using the following commands:

- In the UNIX command shell:

sqlplus / as sysdba

- In sqlplus (at the SQL> prompt):

connect / as sysdba

Red Hat Enterprise Linux 5 (x86) /opt/oracle/extapi/32/hsm/libcknfast.so

Solaris 10 SPARC (64-bit) /opt/oracle/extapi/64/hsm/libcknfast-64.so

IBM AIX (PPC64) /opt/oracle/extapi/64/hsm/libcknfast-64.so

Migrating from an Oracle Wallet ENCRYPTION_WALLET_LOCATION =(SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/$ORACLE_SID/wallet/)))

Not migrating ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM))



5 Create the master encryption key inside the HSM using one of the following commands, depending on how you want to protect the key and whether you are migrating from an Oracle Wallet:

- OCS key protection:

OCS key protection requires an OCS to be inserted into the module slot. You must specify |OCS_name after the pass phrase to identify a particular OCS in the security world. In the cknfastrc file, you must set CKNFAST_LOADSHARING=1.

- Softcard key protection:

For softcard key protection, you must specify |softcard_name after the pass phrase to identify a particular softcard in the security world. In the cknfastrc file, you must set CKNFAST_LOADSHARING=1.


Module-only key protection accepts any given pass phrase. In the cknfastrc file, you must set CKNFAST_FAKE_ACCELERATOR_LOGIN=1.

The pass phrase must be at least eight alphanumeric characters long. The wallet_password is the password for the Oracle Wallet.

6 To verify that the master encryption key has been created, run /opt/nfast/bin/cklist. You should see the following PKCS #11 keys:

Migrating from an Oracle Wallet alter system set encryption key identified by “OCS_pass_phrase|OCS_name” migrate using “wallet_password”;

Not migrating alter system set encryption key identified by “OCS_pass_phrase|OCS_name”;

Migrating from an Oracle Wallet alter system set encryption key identified by “softcard_pass_phrase|softcard_name” migrate using “wallet_password”;

Not migrating alter system set encryption key identified by “softcard_pass_phrase|softcard_name”;

Migrating from an Oracle Wallet alter system set encryption key identified by “module_pass_phrase” migrate using “wallet_password”;

Not migrating alter system set encryption key identified by “module_pass_phrase”;

Migrating from an Oracle Software Wallet ORACLE.TDE.HSM.MK.key_hash

Not migrating ORACLE.TDE.HSM.MK.key_hashORACLE.TSE.HSM.MK.key_hash



7 If you migrated from an Oracle Software Wallet:

- In the UNIX command shell, use an orapki command similar to the following command to alter the Oracle Wallet pass phrase to match the new pass phrase:

orapki wallet change_pwd -wallet "/home/oracle/app/admin/your_test_database_name/wallet/ ewallet.p12" -oldpwd "wallet_password" –newpwd "OCS_pass_phrase|OCS_name"

This example is for OCS key protection. For softcard key protection, use softcard_pass_phrase|softcard_name. For module-only key protection, use module_pass_phrase.

- Navigate to the Oracle Wallet ewallet.p12 and rename it to ewallet.p12.old. This stops Transparent Data Encryption opening the software wallet.

It is important that you keep this Oracle Wallet.

8 To use tablespace encryption and column encryption using the HSM, we recommend that you first create an encrypted tablespace using the following command and then proceed with column-level encryption:

CREATE TABLESPACE securespace1DATAFILE '$ORACLE_BASE/oradata/$ORACLE_SID/secure01.dbf'SIZE 10MENCRYPTION using ‘AES256’DEFAULT STORAGE(ENCRYPT);

9 Create a table inside the tablespace by using the command:

CREATE TABLE customer_payment_info(first_name VARCHAR2(11),last_name VARCHAR2(10),order_number NUMBER(5),credit_card_number VARCHAR2(16),active_card VARCHAR2(3))TABLESPACE securespace1;

10 Insert values into the table by using commands similar to the following example commands:

INSERT INTO customer_payment_info VALUES ('Mike', 'Hellas', 10001, '5446959708812985','YES');INSERT INTO customer_payment_info VALUES ('Peter', 'Burton', 10002, '5122358046082560','YES');INSERT INTO customer_payment_info VALUES ('Mary', 'Banker', 10003, '5595968943757920','YES');INSERT INTO customer_payment_info VALUES ('Holly', 'Mayers', 10004, '4929889576357400','YES');commit;



11 Check the encrypted tablespace by using the command:

select tablespace_name, encrypted from dba_tablespaces;

12 To list the values in the encrypted tablespace in plain text, use the command:

select * from customer_payment_info;

13 Encrypt the credit_limit column of the CUSTOMERS table, which is owned by the user OE, using the command:

alter table oe.customers modify (credit_limit encrypt);

14 To list the values in the encrypted column in plain text, use the command:

select credit_limit from oe.customers where rownum <15;

15 To list the encrypted columns in your database, use the command:

select * from dba_encrypted_columns;

16 To list information about the wallet, use the command:

select * from v$encryption_wallet;

17 To rotate the TDE master encryption key, use the command:

alter system set encryption key identified by “pass_phrase”;

This creates another ORACLE.TDE.HSM.MK.key_hash master encryption key in the /opt/nfast/kmdata/local directory, which you can see by running /opt/nfast/bin/cklist.

Note The pass_phrase is the pass phrase that you used when creating the master encryption key in step 5. The tablespace encryption key cannot be rotated; a work around is to move the data into a new encrypted tablespace.



18 Close the wallet and exit sqlplus, by using the commands:

alter system set encryption wallet close identified by “pass_phrase”;exit

You do not need to specify the OCS or softcard name when closing the wallet.

19 Open the wallet by logging into the database and using the following command:

- OCS key protection:

alter system set encryption wallet open identified by “OCS_pass_phrase|OCS_name”;

- Softcard key protection:

alter system set encryption wallet open identified by“softcard_pass_phrase|softcard_name”;


alter system set encryption wallet open identified by “module_pass_phrase”;


Chapter 3: Troubleshooting

The following table provides troubleshooting guidelines.

Error message Resolution

ORA-28376: cannot find PKCS11 library Check the library path is set correctly, for example:/opt/oracle/extapi/64/hsm/libcknfast-64.soEnsure that oracle:oinstall is the owner:group of this directory, with read and write access.

ORA-28353: failed to open wallet Ensure that the HSM wallet pass phrase is correct.Ensure that if OCS/softcard key protection is used, the name and pass phrase are correct and are separated by a |, for example:softcard_pass_phrase|softcard_name

ORA-00600: internal error code, arguments: [kzthsmgmk: C_GenerateKey], [6], [],[], [], [], [], []

Ensure that you have added user oracle to group nfast. In some cases you may have to re-login with the oracle user for this to take effect.

ORA-00600: internal error code, arguments: [kzthsmgmk: C_GenerateKey], [2147483872], [], [], [], [], [], [], [], [], [], []

Ensure that if a strict FIPS 140-2 level 3 security world is in use, an OCS is inserted into the HSM slot when creating the master encryption key.

Internet addresses

Americas2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USATel: +1 888 744 4976 or + 1 954 888 [email protected]

Europe, Middle East, AfricaMeadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UKTel: + 44 (0)1844 [email protected]

Asia PacificUnits 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRCTel: + 852 2815 [email protected]

Web site: www.thalesgroup.com/iss

Support: http://iss.thalesgroup.com/en/Support.aspx

Online documentation: http://iss.thalesgroup.com/Resources.aspx

International sales offices: http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx

Addresses

http://www.thalesgroup.com/iss

http://iss.thalesgroup.com/en/Support.aspx

http://iss.thalesgroup.com/Resources.aspx

http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx

Documents

Oracle Database 11g R2 TDE UNIX