Configuring Oracle TDE Tablespace Encryption on a New Windchill Database
The following procedures provide instructions for configuring Oracle TDE tablespace encryption on a new Windchill database.
Configuring the Database Server for TDE Tablespace
1. Prepare the Oracle database for encryption.
Before attempting to create an encrypted tablespace, create a wallet on the database server to hold the encryption key.
A wallet is an encrypted container that is used to store authentication and signing credentials, including passwords, the TDE master key, PKI private keys, certificates, and trusted certificates needed by SSL. With TDE, wallets are used on the database server to protect the TDE master key. Because data is encrypted in REDO logs, UNDO tablespaces, and TEMP tablespaces, the TDE master encryption key needs to be available to the database before it is opened.
All Windchill tablespaces use the same encryption wallet and the same encryption key.
|
Although encrypted tablespaces can share the default database wallet, Oracle recommends using a separate wallet for transparent data encryption functionality by specifying the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file. Using the default location for the wallet, by not specifying the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file, is a known security risk. For more information, see http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf.
|
a. Set the ENCRYPTION_WALLET_LOCATION parameter in the $ORACLE_HOME/network/admin/sqlnet.ora file to the wallet directory as follows:
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/wallets/wind/)))
Replace the DIRECTORY value with a value appropriate for your environment.
b. Using SQL*Plus, log in to the target database as a database administrative user, and execute the following commands to initialize the wallet and add the master encryption key. Execute each command individually, and replace <password> with the appropriate password.
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY “<password>”;
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY “<password>”;
Configure Wallet auto open after database restart:
orapki wallet create -wallet <wallet_home> -auto_login
2. Using SQL*Plus, log in to the target database as a database administrative user, and execute the following statement to change the default tablespace to SYSAUX:
ALTER DATABASE DEFAULT TABLESPACE "SYSAUX";
3. Using SQL*Plus, drop the original tablespaces (USERS, BLOBS, INDX, WCAUDIT):
DROP TABLESPACE USERS INCLUDING CONTENTS AND DATAFILES;
DROP TABLESPACE BLOBS INCLUDING CONTENTS AND DATAFILES;
DROP TABLESPACE INDX INCLUDING CONTENTS AND DATAFILES;
DROP TABLESPACE WCAUDIT INCLUDING CONTENTS AND DATAFILES;
4. Using SQL*Plus, create new encrypted tablespaces with the same names as the original tablespaces. In the example following statements, replace the DATAFILE values with values appropriate for your environment.
CREATE TABLESPACE "USERS"
DATAFILE '/u01/app/oracle/oradata/wind/users01.dbf'
SIZE 100M AUTOEXTEND ON NEXT 1G MAXSIZE UNLIMITED LOGGING
EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO
DEFAULT STORAGE ( ENCRYPT ) ENCRYPTION USING 'AES256';
CREATE TABLESPACE "BLOBS"
DATAFILE '/u01/app/oracle/oradata/wind/blobs01.dbf'
SIZE 100M AUTOEXTEND ON NEXT 1G MAXSIZE UNLIMITED LOGGING
EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO
DEFAULT STORAGE ( ENCRYPT ) ENCRYPTION USING 'AES256';
CREATE TABLESPACE "INDX"
DATAFILE '/u01/app/oracle/oradata/wind/indx01.dbf'
SIZE 100M AUTOEXTEND ON NEXT 1G MAXSIZE UNLIMITED LOGGING
EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO
DEFAULT STORAGE ( ENCRYPT ) ENCRYPTION USING 'AES256';
CREATE TABLESPACE "WCAUDIT"
DATAFILE '/u01/app/oracle/oradata/wind/wcaudit01.dbf'
SIZE 100M AUTOEXTEND ON NEXT 1G MAXSIZE UNLIMITED LOGGING
EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO
DEFAULT STORAGE ( ENCRYPT ) ENCRYPTION USING 'AES256';
5. Using SQL*Plus, reset the default tablespace to USERS:
ALTER DATABASE DEFAULT TABLESPACE "USERS";
6. Using SQL*Plus, execute the following query to verify that the tablespaces are created as encrypted tablespaces. The ENCRYPTED column must display a value of YES.
SELECT TABLESPACE_NAME , ENCRYPTED FROM DBA_TABLESPACES;
Configuring Windchill for the Database Configured for TDE Tablespaces
1. Install Windchill on the database created in the previous section.
2. After a successful installation, stop Windchill.
3. Open a Windchill shell.
4. From the Windchill shell, run the following commands to set and propagate the necessary configuration properties:
xconfmanager -s wt.pom.dbConnectionPropertiesNameList="oracle.net. encryption_client,oracle.net.encryption_types_client,oracle.net. crypto_checksum_client,oracle.net.crypto_checksum_types_client" -t "db/db.properties"
xconfmanager -s wt.pom.dbConnectionPropertiesValueList="ACCEPTED, ( AES256 ), ACCEPTED,( MD5 )" -t "db/db.properties"
xconfmanager -p
|
For configuring oracle.net.encryption_client and oracle.net.crypto_checksum_client, you can use any of the following values:
• REJECTED
• ACCEPTED
• REQUESTED
• REQUIRED
|
5. Start Windchill.