by Alexandre Nestor
Introduction
When Oracle database is configured with Oracle Key Vault, all mater encryption key (MEK) are stored on Oracle Key Vault server.
Rekey is the operation of changing the MEK.
In the previous article Clone Oracle Database configured with Oracle Key Vault (OKV) I cloned a database CDB01
to CDB02
configured with OKV. At the end of the clone process the cloned database CDB02
use the same keys as the source database. In a production environment this is not an acceptable solution. The cloned CDB02
database (which can be a clone for test purpose), need to use it’s own keys. To achieve this goal we need to REKEY the CDB02
database.
First we are going to create a wallet for CDB02
.
The we are going execute the REKEY operation, to generate new master encryption keys.
At the end to make the full separation between CDB01
and CDB02
we remove the rights for CDB02
to read the wallet of CDB01
.
Preparation
As explained in the previous post, the RESTFul api is installed in /home/oracle/okv
I use a script to set the RESTFul API environnement:
1 2 3 4 5 6 7 | [oracle@db okv]$ cat /home/oracle/okv/set_okv_rest_env .sh export OKV_RESTCLI_CONFIG=$HOME /okv/conf export JAVA_HOME= /usr/java/jdk-11 .0.10 export OKV_HOME=$HOME /okv export PATH=$PATH:$OKV_HOME /bin [oracle@db okv]$ source /home/oracle/okv/set_okv_rest_env .sh |
I use an SQL script to output the wallet status:
1 2 3 4 5 6 7 8 | [oracle@db okv]$ cat $HOME/tde.sql set pages 200 set line 300 col WRL_PARAMETER format a50 col status forma a10 col pdb_name format a20 select pdb_id, pdb_name, guid from dba_pdbs; select * from v$encryption_wallet where con_id != 2; |
The initial status of CDB02
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | [oracle@db ~]$ . oraenv <<< CDB02 [CDB02][oracle@db ~]$ sqlplus / as sysdba SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string /opt/oracle/admin/CDB02/wallet SQL> show parameter tde_configuration NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ tde_configuration string KEYSTORE_CONFIGURATION=OKV|FIL SQL> @tde.sql PDB_ID PDB_NAME GUID ---------- -------------------- -------------------------------- 3 PDB01 0AE3AEC4EE5ACDB1E063A001A8ACB8BB 2 PDB$SEED 0AE38C7FF01EC651E063A001A8AC821E WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID -------- ----------------------------------- -------------------- ------------- --------- -------- --------- ------- FILE /opt/oracle/admin/CDB02/wallet/tde/ OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE NONE UNDEFINED 1 OKV OPEN OKV SINGLE NONE UNDEFINED 1 FILE OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNITED UNDEFINED 3 OKV OPEN_UNKNONW_ OKV SINGLE UNITED UNDEFINED 3 SQL> exit; [CDB02][oracle@db ~]$ /opt/oracle/admin/CDB02/wallet/okv/bin/okvutil list Enter Oracle Key Vault endpoint password : endpoint_password Unique ID Type Identifier 600D0743-01D9-4F2F-BF6F-C9E8AC74FF2A Symmetric Key TDE Master Encryption Key : TAG CDB:CDB01 MEK first 6A752388-F93D-4F14-BF35-39E674CAAFED Symmetric Key TDE Master Encryption Key : TAG REKEY CDB01 AB294686-1FC4-4FE8-BFAD-F56BAD0A124B Symmetric Key TDE Master Encryption Key : TAG REKEY CDB01 BB0CC77A-10AD-4F55-BF0A-9F5A4C7F98C1 Symmetric Key TDE Master Encryption Key : TAG CDB:DBTDEOKV:PDB1 MEK first |
Create a wallet for CDB02
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | [CDB02][oracle@db json]$ $OKV_HOME /bin/okv manage-access wallet create --generate-json-input > create_db_wallet_CDB02.json [CDB02][oracle@db json]$ cat create_db_wallet_CDB02.json { "service" : { "category" : "manage-access" , "resource" : "wallet" , "action" : "create" , "options" : { "wallet" : "ORA_CLONES" , "type" : "GENERAL" , "description" : "Wallet for Oracle Clones" } } } [CDB02][oracle@db json]$ $OKV_HOME /bin/okv manage-access wallet create --from-json create_db_wallet_CDB02.json { "result" : "Success" } |
Set the default wallet for CDB02
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | [CDB02][oracle@db json]$ okv manage-access wallet set -default --generate-json-input > set_default_wallet_CDB02.json [CDB02][oracle@db json]$ cat set_default_wallet_CDB02.json { "service" : { "category" : "manage-access" , "resource" : "wallet" , "action" : "set-default" , "options" : { "wallet" : "ORA_CLONES" , "endpoint" : "DB_CDB02" , "unique" : "FALSE" } } } [CDB02][oracle@db json]$ okv manage-access wallet set -default --from-json set_default_wallet_CDB02.json { "result" : "Success" } # test [CDB02][oracle@db json]$ $OKV_HOME /bin/okv manage-access wallet get-default --endpoint DB_CDB02 { "result" : "Success" , "value" : { "defaultWallet" : "ORA_CLONES" } } # list wallets access for endpoint DB_CDB02 [CDB02][oracle@db json]$ $OKV_HOME /bin/okv manage-access wallet list-endpoint-wallets --endpoint DB_CDB02 { "result" : "Success" , "value" : { "wallets" : [ "ORA_CLONES" , "ORA_DB" ] } } |
REKEY operation
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [CDB02][oracle@db json]$ sqlplus / as sysdba -- list all keys for CDB02 SQL> set line 200 SQL> col key_id format a40; SQL> select KEY_ID, KEYSTORE_TYPE,CREATION_TIME from V$ENCRYPTION_KEYS; KEY_ID KEYSTORE_TYPE CREATION_TIME ---------------------------------------- ----------------- ---------------------------- 066477563C41354F9ABFFD71C439728D90 OKV 12-MAR-24 11.38.29.789446 AM +00:00 06389A1CCF31E64F17BFC1101D9700F83E OKV 12-MAR-24 11.53.46.361951 AM +00:00 064A92E70C7DBB4FBCBFDE46A9226CFB0A OKV 12-MAR-24 11.53.45.932774 AM +00:00 06FED2B8DA29444F57BF11BB545ED7E60D OKV 12-MAR-24 11.20.59.949238 AM +00:00 SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY FORCE KEYSTORE IDENTIFIED BY "endpoint_password" container= all ; |
Remove access from CDB01
wallet:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | [CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet remove-access --generate-json-input > remove_access_walet_CDB02.json [CDB02][oracle@db json]$ cat remove_access_walet_CDB02.json { "service" : { "category" : "manage-access" , "resource" : "wallet" , "action" : "remove-access" , "options" : { "wallet" : "ORA_DB" , "endpoint" : "DB_CDB02" } } } [CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet remove-access --from-json remove_access_walet_CDB02.json { "result" : "Success" } [CDB02][oracle@db json]$ /opt/oracle/admin/CDB02/wallet/okv/bin/okvutil list Enter Oracle Key Vault endpoint password : Unique ID Type Identifier 1B382343-A786-4F26-BFF9-35A8329A327C Symmetric Key TDE Master Encryption Key : MKID 0612F89A18C7984F27BF571A0420C58025 52B62409-6E8D-4F6F-BF08-F7DD73EC1938 Symmetric Key TDE Master Encryption Key : MKID 06A9FD621A85A74F46BFD88BEB6082B9EB 2DE4025E-CF35-454D-9F60-33640DAAC067 Template Default template for DB_CDB02 -- restart CDB02 to test if the database open withouth any issue SQL> startup force SQL> @$HOME/tde.sql PDB_ID PDB_NAME GUID ---------- -------------------- -------------------------------- 3 PDB01 0AE3AEC4EE5ACDB1E063A001A8ACB8BB 2 PDB$SEED 0AE38C7FF01EC651E063A001A8AC821E WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID ----------- ----------------------------------- ------------------ ----------- --------- -------- --------- ---------- FILE /opt/oracle/admin/CDB02/wallet/tde/ OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE NONE UNDEFINED 1 OKV OPEN OKV SINGLE NONE UNDEFINED 1 FILE OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNITED UNDEFINED 3 OKV OPEN OKV SINGLE NONE UNDEFINED 3 |
Database CDB02
open correctly.
List the accessible keys for CDB02
:
1 2 3 4 5 | [CDB02][oracle@db json]$ /opt/oracle/admin/CDB02/wallet/okv/bin/okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 1B382343-A786-4F26-BFF9-35A8329A327C Symmetric Key TDE Master Encryption Key: MKID 0612F89A18C7984F27BF571A0420C58025 2DE4025E-CF35-454D-9F60-33640DAAC067 Template Default template for DB_CDB02 |
List the wallets accessible for CDB02
:
1 2 3 4 5 6 7 | [CDB02][oracle@db json]$ $OKV_HOME /bin/okv manage-access wallet list-endpoint-wallets --endpoint DB_CDB02 { "result" : "Success" , "value" : { "wallets" : [ "ORA_CLONES" ] } } |
CDB02 has no more access to the CD01 wallet.
Conclusion
If the database is not configured with OKV, after a REKEY operation the wallet file, stored on local disk, must be saved. When the database is configured with OKV when a REKEY operation is issued we have to do …. nothing. The keys are automatically stored in OKV database without any intervention. Just only one remark. The endpoint, in our example DB_CDB02
, need to have a default wallet configured. Otherwise the keys will not belongs to any wallet. That doesn’t mean that the CDB02 database cannot access them, but having keys outside wallets in OKV, increase the maintenance operations.