oracle database 11g release 2 (11.2 64-bit) real ... _database_rac_for_unix_nshield...oracle...

Oracle Database 11g Release 2 (11.264-bit) Real Application Cluster (RAC)Integration Guide for Linux

Version: 1.2

Date: Friday, December 20, 2019

Copyright 2019 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced,modified, adapted, published, translated in any material form (including storage in any medium byelectronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any thirdparty without the prior written permission of nCipher Security Limited neither shall it be used otherwisethan for the purpose for which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EUand other countries.

Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information, including, but notlimited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher SecurityLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcerned with the furnishing, performance or use of this material.

Where translations have been made in this document English is the canonical language.

of 15 Oracle Database 11g Release 2 (11.2 64-bit) Real Application Cluster (RAC) - Integration Guide for Linux

Contents

1 Introduction 4

1.1 This product 4

1.1.1 Product configuration 5

1.1.2 Supported nCipher functionality 5

1.1.3 Requirements 5

1.2 This guide 6

1.3 More information 6

2 Procedures 7

2.1 Installing Oracle RAC 7

2.2 Installing the HSM 8

2.3 Installing the Security World software and configuring the nShield Connect on both nodes,RAC1 and RAC2 8

2.4 Configuring Oracle RAC 11g release 2 TDE to use the HSM 8

3 Troubleshooting 13

Contact Us 14

Europe, Middle East, and Africa 14

Americas 14

Asia Pacific 14

Oracle Database 11g Release 2 (11.2 64-bit) Real Application Cluster (RAC) - Integration Guide for Linux of 15

1 Introduction

1 Introduction

1.1 This productOracle Real Application Cluster (RAC) enables you to cluster an Oracle database. Oracle RAC usesOracle Clusterware for the infrastructure to bind multiple servers so they operate as a single system. Youcan use Oracle Clusterware to manage high-availability operations in a cluster. When you create anOracle database RAC using any of the management tools, the database is registered with and managedby Oracle Clusterware, along with the other required components such as the Virtual Internet Protocol(VIP) address, the Single Client Access Name (SCAN), the SCAN listener, Oracle Notification Service, andthe Oracle Net listeners. These resources are automatically started when Oracle Clusterware starts thenode and automatically restarted if they fail. The Oracle Clusterware daemons run on each node.

Oracle’s Real Application Clusters (RAC) supports the transparent deployment of a single databaseacross pools of server, providing fault tolerance from hardware failures or planned outages.Oracle RACis a key component of Oracle's private cloud architecture. Oracle RAC support is included in the OracleDatabase Standard Edition for higher levels of system uptime. The Database administrators have a singlepoint of control to install and manage an Oracle RAC cluster using a graphical user interface (GUI) orcommand line tools. Oracle Database 11g streamlines the installation with automatic checks and fixes formissed pre-requisites for both Oracle Grid Infrastructure (Oracle Clusterware and Oracle AutomaticStorage Management)as well as Oracle RAC.

Oracle Database RAC TDE transparently encrypts data that is stored in the Oracle database, withoutrequiring any changes to the application that runs on top of the database. It supports both TDEtablespace encryption and TDE column encryption. The HSM secures the unified TDE master encryptionkey, which is used to encrypt and decrypt the tablespace keys for encrypted tablespaces, and table keysfor encrypted application table columns.The HSM is used in place of the Oracle Wallet to provide a higherlevel of security assurance, including:

l Centralized storage and management of the master encryption key(s).

l Full life cycle management of the master encryption key(s).

l Highest level of security assurance, the keys never leave the HSM as plain text.

l FIPS 140-2 level 3 validated hardware.

l Failover support.

Depending on your current Oracle setup, you can use this document to either:

l Create and start using a new HSM-protected wallet (if you are not using an Oracle Wallet).

l Migrate from an existing Oracle Wallet to an HSM-protected wallet.

The Oracle Wallet can be the default database wallet shared with the other components of the Oracledatabase or a separate wallet specifically used by TDE. When using Oracle TDE, Oracle recommendsthat you use a separate wallet to store the master encryption key. See the Oracle documentation formore information.


1 Introduction

1.1.1 Product configuration

The integration between the HSM and TDE uses the PKCS #11 cryptographic API. The integration hasbeen successfully tested in the following configurations:

Operating systemnShieldsoftwareversion

Oracle Databaseversion

nShieldSolosupport

nShield Connectsupport

Red Hat Enterprise Linux 6.3 11.70 11.2.0.4.0 Yes Yes

Red Hat Enterprise Linux 5 11.60 11.2.0.3.0 - Yes

Red Hat Enterprise Linux 6 11.60 11.2.0.3.0 - Yes

Oracle Enterprise Linux 7 11.60 11.2.0.3.0 - Yes

1.1.2 Supported nCipher functionality

Key Generation Yes 1-of-N Operator Card Set Yes Strict FIPS Support Yes

Key Management Yes K-of-N Operator CardSet

— Load Sharing Yes

Key Import — Softcards Yes Fail Over Yes

Key Recovery Yes Module-only Key Yes

1.1.3 Requirements

Before you begin the integration process:

l Read the Quick Start Guide or User Guide for your HSM.

l Familiarize yourself with the setup procedures for Oracle Database 11g Release 2 RAC.

Before running the setup program, you need to know:

l The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and thepolicy for managing these cards.

l Whether the application keys are to be protected by the module, softcard or Operator Card Set(OCS).

l The number and quorum of Operator Cards in the OCS (only 1 of N is supported), and the policy formanaging these cards.

l Whether the security world needs to be compliant with FIPS 140-2 level 3.


1.2 This guide

1.2 This guideThis guide explains how to integrate an Oracle Database 11g R2 RAC with an nCipher Hardware SecurityModule(HSM) to provide Transparent Data Encryption(TDE).The instructions in this document have beenthoroughly tested and provide a straight-forward integration process.There may be other untested waysto achieve interoperability.

This document may not cover every step in the process of setting up all the software.

This document assumes that you have read your HSM documentation and that you are familiar with thedocumentation and setup process for Oracle database 11g Release 2 Real Application Clusters.

1.3 More informationAdditional documentation produced to support your nCipher product is in the document directory of theCD-ROM or DVD-ROM for that product.

For more information about Real Application Clusters, find the relevant pages on the Oracle website:http://www.oracle.com.


http://www.oracle.com/

2 Procedures

2 ProceduresTo integrate Oracle RAC 11g Release 2 TDE with an HSM:

1. Install Oracle RAC.

2. Install the HSM.

3. Install the Security World software and configure the nShield Connect on both nodes, RAC1 andRAC2.

4. Configure Oracle RAC 11g Release 2 TDE to use the HSM.

All these procedures are described in the following sections.

2.1 Installing Oracle RACTo install Oracle RAC:

1. Download and unzip the Oracle 11g Release 2 Patch:

l For Oracle version 11.2.0.3.0 - Patch 10404530

l For Oracle version 11.2.0.4.0 - Patch 13390677

2. Ensure that the prerequisite configuration is complete according to Oracle documentation at:http://www.oracle.com/pls/db112/portal.portal_db?selected=16&frame=#oracle_real_application_clusters.

3. Navigate to the Grid folder and execute ./runInstaller to start the installation process of Oracle GridInfrastructure on Linux using NFS.

Refer the below mentioned link that describes the installation of Oracle Database 11g Release 2(11.2 64-bit) RAC on Linux using NFS: http://www.oracle-base.com/articles/11g/oracle-db-11gr2-rac-installation-on-linux-using-nfs.php

5. Navigate to the database installation folder and execute ./runInstaller to start the installation processfor Oracle database software.

6. Set environment variables ORACLE_BASE, ORACLE_HOME, PATH, TNS_ADMIN andORACLE_SID

according to your environment, for example:

ORACLE_SID=<database_name>; export ORACLE_SID;

ORACLE_BASE=/u01/app/oracle/; export ORACLE_BASE;

ORACLE_HOME=$ORACLE_BASE/product/11.2.0/dbhome_1; export ORACLE_HOME;

PATH=$PATH:$ORACLE_HOME/bin; export PATH;

TNS_ADMIN=$ORACLE_HOME/network/admin; export TNS_ADMIN;

Ensure that ORACLE_SID is at least eight alphanumeric characters long.

8. Run dbca to create a database and select the option to add the sample schemas on step 8 of the


http://www.oracle.com/pls/db112/portal.portal_db?selected=16&frame=#oracle_real_application_clusters

http://www.oracle.com/pls/db112/portal.portal_db?selected=16&frame=#oracle_real_application_clusters

http://www.oracle-base.com/articles/11g/oracle-db-11gr2-rac-installation-on-linux-using-nfs.php

http://www.oracle-base.com/articles/11g/oracle-db-11gr2-rac-installation-on-linux-using-nfs.php

2 Procedures

dbca wizard.

The sample schemas and user accounts are used to test TDE with an HSM.

2.2 Installing the HSMInstall the HSM using the instructions in the documentation for the HSM. We recommend that you installthe HSM before configuring the Security World software.

2.3 Installing the Security World software and configuring thenShield Connect on both nodes, RAC1 and RAC2To install the nShield Security World support software and configure the HSM:

1. Install the latest version of the Security World software on both RAC 1 and RAC2 .

2. Create a security world as described in the User Guide for the HSM.

We recommend that you uninstall any existing nCipher software before installing thenew software.

3. Create or edit the cknfastrc file located in the /opt/nfast directory, and depending on how you want toprotect the master encryption key, set one of the following environment variables:

l OCS or softcard key protection:

CKNFAST_LOADSHARING=1

l Module-only key protection:

CKNFAST_FAKE_ACCELERATOR_LOGIN=1

For more information, see the PKCS #11 library environment variables in the User Guide forthe HSM.

4. Initialize a security world.

5. For OCS protection, create a 1 of N card set, following the instructions in the User Guide for theHSM.

Ensure that your Operator Card or softcard pass phrase has a minimum of eight alphanumericcharacters. You must create a softcard for softcard protection; see the User Guide for the HSM formore information.

2.4 Configuring Oracle RAC 11g release 2 TDE to use the HSMTo configure Oracle RAC 11g release 2 TDE to use the HSM:


2.4 Configuring Oracle RAC 11g release 2 TDE to use the HSM

1. Copy the PKCS #11 library located at /opt/nfast/toolkits/pkcs11/libcknfast-64.so (or libcknfast.so dependingon your OS architecture) to one of the following locations:

Red Hat Enterprise Linux 5 (x86 64-bit)

/opt/oracle/extapi/64/hsm/libcknfast.so

Ensure that the directory exists and that oracle:oinstall is the owner:group of the directory with readand write access.

4. Add the oracle user to group nfast. You can verify this addition by looking at the entry for the nfast

group in /etc/group.

5. In the $TNS_ADMIN/sqlnet.ora file add or edit the following lines, depending on whether you aremigrating from an Oracle Wallet:

Migrating from an OracleWallet

ENCRYPTION_WALLET_LOCATION =(SOURCE = (METHOD = HSM)

(METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/$ORACLE_

SID/wallet/)))

Not migrating ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM))

7. Set the LIBPATH and LD_LIBRARY_PATH as mentioned below:

LIBPATH=/opt/oracle/extapi/64/hsm/ncipher/1.73.19;

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib:/opt/oracle/extapi/64/hsm/ncipher/1.73.19

9. Log into the database using the following commands:

a. In the UNIX command shell:

sqlplus / as sysdba

c. In sqlplus (at the SQL> prompt):

connect / as sysdba

10. Create the master encryption key inside the HSM using one of the following commands,depending on how you want to protect the key and whether you are migrating from an OracleWallet:

l OCS key protection:

OCS key protection requires an OCS to be inserted into the module slot. You must specify|OCS_name after the pass phrase to identify a particular OCS in the security world. In thecknfastrc file, you must set CKNFAST_LOADSHARING=1.

l Softcard key protection:


2 Procedures

For softcard key protection, you must specify |softcard_name after the pass phrase to identifya particular softcard in the security world. In the cknfastrc file, you must set CKNFAST_LOADSHARING=1.


Module-only key protection accepts any given pass phrase. In the cknfastrc file, you mustset CKNFAST_FAKE_ACCELERATOR_LOGIN=1.

The pass phrase must be at least eight alphanumeric characters long. The wallet_password is thepassword for the Oracle Wallet.

12. To verify that the master encryption key has been created, run /opt/nfast/bin/cklist. You should seethe following PKCS #11 keys:

Migrating from an Oracle SoftwareWallet

ORACLE.TDE.HSM.MK.key_hash

Not migrating ORACLE.TDE.HSM.MK.key_hash

ORACLE.TSE.HSM.MK.key_hash

14. If you migrated from an Oracle Software Wallet:

a. In the UNIX command shell, use an orapki command similar to the following command toalter the Oracle Wallet pass phrase to match the new pass phrase:

orapki wallet change_pwd -wallet "/u01/app/oracle/admin/your_test_database_name/wallet/ewallet.p12"

-oldpwd "wallet_password" -newpwd "OCS_pass_phrase|OCS_name"

This example is for OCS key protection. For softcard key protection, use softcard_pass_

phrase|softcard_name. For module-only key protection, use module_pass_phrase.

d. Navigate to the Oracle Wallet ewallet.p12 and rename it to ewallet.p12.old. This stopsTransparent Data Encryption opening the software wallet.

It is important that you keep this Oracle Wallet.

15. To use tablespace encryption and column encryption using the HSM, we recommend that you firstcreate an encrypted tablespace using the following command and then proceed with column-levelencryption:

CREATE TABLESPACE securespace1

DATAFILE '$ORACLE_BASE/oradata/$ORACLE_SID/secure01.dbf'

SIZE 10M

ENCRYPTION using 'AES256'

DEFAULT STORAGE(ENCRYPT);

17. Create a table inside the tablespace by using the command:


2.4 Configuring Oracle RAC 11g release 2 TDE to use the HSM

CREATE TABLE customer_payment_info

(first_name VARCHAR2(11),

last_name VARCHAR2(10),

order_number NUMBER(5),

credit_card_number VARCHAR2(16),

active_card VARCHAR2(3))TABLESPACE securespace1;

19. Insert values into the table by using commands similar to the following example commands:

INSERT INTO customer_payment_info VALUES ('Mike', 'Hellas', 10001, '5446959708812985','YES');

INSERT INTO customer_payment_info VALUES ('Peter', 'Burton', 10002, '5122358046082560','YES');

INSERT INTO customer_payment_info VALUES ('Mary', 'Banker', 10003, '5595968943757920','YES');

INSERT INTO customer_payment_info VALUES ('Holly', 'Mayers', 10004, '4929889576357400','YES');

commit;

21. Check the encrypted tablespace by using the command:

select tablespace_name, encrypted from dba_tablespaces;

23. To list the values in the encrypted tablespace in plain text, use the command:

select * from customer_payment_info;

25. Encrypt the credit_limit column of the CUSTOMERS table, which is owned by the user OE, using thecommand:

alter table oe.customers modify (credit_limit encrypt);

27. To list the values in the encrypted column in plain text, use the command:

select credit_limit from oe.customers where rownum <15;

29. To list the encrypted columns in your database, use the command:

select * from dba_encrypted_columns;

31. To list information about the wallet, use the command:


2 Procedures

select * from v$encryption_wallet;

33. To rotate the TDE master encryption key, use the command:

alter system set encryption key identified by "pass_phrase";

This creates another ORACLE.TDE.HSM.MK.key_hash master encryption key in the/opt/nfast/kmdata/local directory, which you can see by running /opt/nfast/bin/cklist.

The pass_phrase is the pass phrase that you used when creating the master encryptionkey in step 5. The tablespace encryption key cannot be rotated; a work around is tomove the data into a new encrypted tablespace.

36. Close the wallet and exit sqlplus, by using the commands:

alter system set encryption wallet close identified by "pass_phrase";

exit

You do not need to specify the OCS or softcard name when closing the wallet.

39. Open the wallet by logging into the database and using one of the following commands:

l OCS key protection:

alter system set encryption wallet open identified by "OCS_pass_phrase|OCS_name";

l Softcard key protection:

alter system set encryption wallet open identified by "softcard_pass_phrase|softcard_name";


alter system set encryption wallet open identified by "module_pass_phrase";


3 Troubleshooting

3 TroubleshootingThe following table provides troubleshooting guidelines.

Error message Resolution

ORA-28376: cannot find PKCS11

library

Check the library path is set correctly, forexample:/opt/oracle/extapi/64/hsm/libcknfast-64.so.

Ensure that oracle:oinstall is the owner:group of this directory, withread and write access.

ORA-28353: failed to open wallet Ensure that the HSM wallet pass phrase is correct.

Ensure that if OCS/softcard key protection is used, the name andpass phrase are correct and are separated by a |, forexample:softcard_pass_phrase|softcard_name

ORA-00600: internal error code,

arguments: [kzthsmgmk: C_

GenerateKey], [6], [],[], [], [], [], []

Ensure that you have added user oracle to group nfast. In some casesyou may have to re-login with the oracle user for this to take effect,or shut down the database and start up the database again.

ORA-00600: internal error code,

arguments: [kzthsmgmk: C_

GenerateKey], [2147483872], [], [], [], [],

[], [], [], [], [], []

Ensure that if a strict FIPS 140-2 level 3 security world is in use, anOCS is inserted into the HSM slot when creating the masterencryption key.

ORA-28362: master key not found Check the correct option set in cknfastrc according to your type ofprotection.

ORA-28407: Hardware Security

Module error detected

Check the correct option set in cknfastrc according to your type ofprotection.


Contact Us

Contact UsWeb site: https://www.ncipher.comSupport: https://help.ncipher.comEmail Support: [email protected] documentation: Available from the Support site listed above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444One Station SquareCambridgeCB1 2GAUK

Americas

Toll Free: +1 833 425 1990Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – ASuite 130,13800 NW 14 StreetSunriseFL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070World Trade Centre Northbank WharfSiddeley StMelbourne VIC 3005Australia

Japan: +81 50 3196 4994Hong Kong: +852 3008 3188

10/F, V-Point,18 Tang Lung StreetCauseway BayHong Kong


About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM)market, empowering world-leading organizations by delivering trust, integrity and control to their business criticalinformation and applications. Today’s fast-moving digital environment enhances customer satisfaction, gives competitiveadvantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secureemerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates.We do this using our same proven technology that global organizations depend on today to protect against threats totheir sensitive data, network communications and enterprise infrastructure. We deliver trust for your business criticalapplications, ensure the integrity of your data and put you in complete control – today, tomorrow, always.www.ncipher.com

https://www.ncipher.com/

oracle database 11g release 2 (11.2 64-bit) real ... _database_rac_for_unix_nshield...oracle...

Documents