Introduction

When Oracle database is configured with Oracle Key Vault, all mater encryption key (MEK) are stored on Oracle Key Vault server.

Rekey is the operation of changing the MEK.

In the previous article Clone Oracle Database configured with Oracle Key Vault (OKV) I cloned a database CDB01 to CDB02 configured with OKV. At the end of the clone process the cloned database CDB02 use the same keys as the source database. In a production environment this is not an acceptable solution. The cloned CDB02 database (which can be a clone for test purpose), need to use it’s own keys. To achieve this goal we need to REKEY the CDB02 database.

First we are going to create a wallet for CDB02.

The we are going execute the REKEY operation, to generate new master encryption keys.
At the end to make the full separation between CDB01 and CDB02 we remove the rights for CDB02 to read the wallet of CDB01.

Preparation

As explained in the previous post, the RESTFul api is installed in /home/oracle/okv

I use a script to set the RESTFul API environnement:

[oracle@db okv]$ cat /home/oracle/okv/set_okv_rest_env.sh
export OKV_RESTCLI_CONFIG=$HOME/okv/conf
export JAVA_HOME=/usr/java/jdk-11.0.10
export OKV_HOME=$HOME/okv
export PATH=$PATH:$OKV_HOME/bin

[oracle@db okv]$ source /home/oracle/okv/set_okv_rest_env.sh

I use an SQL script to output the wallet status:

[oracle@db okv]$ cat $HOME/tde.sql
set pages 200
set line 300
col WRL_PARAMETER format a50
col status forma a10
col pdb_name  format a20
select pdb_id, pdb_name, guid from dba_pdbs;
select * from v$encryption_wallet where con_id != 2;

The initial status of CDB02

[oracle@db ~]$ . oraenv <<< CDB02
[CDB02][oracle@db ~]$ sqlplus / as sysdba

SQL> show parameter wallet_root

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
wallet_root			     string	 /opt/oracle/admin/CDB02/wallet

SQL> show parameter tde_configuration

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
tde_configuration		     string	 KEYSTORE_CONFIGURATION=OKV|FIL

SQL> @tde.sql

    PDB_ID PDB_NAME		GUID
---------- -------------------- --------------------------------
	 3 PDB01		0AE3AEC4EE5ACDB1E063A001A8ACB8BB
	 2 PDB$SEED		0AE38C7FF01EC651E063A001A8AC821E


WRL_TYPE  WRL_PARAMETER                       STATUS              WALLET_TYPE   WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------- ----------------------------------- -------------------- ------------- --------- -------- --------- -------
FILE     /opt/oracle/admin/CDB02/wallet/tde/ OPEN_NO_MASTER_KEY    AUTOLOGIN    SINGLE      NONE     UNDEFINED  1
OKV                                          OPEN                  OKV          SINGLE      NONE     UNDEFINED  1
FILE                                         OPEN_NO_MASTER_KEY    AUTOLOGIN    SINGLE      UNITED   UNDEFINED  3
OKV                                          OPEN_UNKNONW_         OKV          SINGLE      UNITED   UNDEFINED  3

SQL> exit; 

[CDB02][oracle@db ~]$ /opt/oracle/admin/CDB02/wallet/okv/bin/okvutil list
Enter Oracle Key Vault endpoint password: endpoint_password
Unique ID                               Type            Identifier
600D0743-01D9-4F2F-BF6F-C9E8AC74FF2A	Symmetric Key	TDE Master Encryption Key: TAG CDB:CDB01 MEK first
6A752388-F93D-4F14-BF35-39E674CAAFED	Symmetric Key	TDE Master Encryption Key: TAG REKEY CDB01
AB294686-1FC4-4FE8-BFAD-F56BAD0A124B	Symmetric Key	TDE Master Encryption Key: TAG REKEY CDB01
BB0CC77A-10AD-4F55-BF0A-9F5A4C7F98C1	Symmetric Key	TDE Master Encryption Key: TAG CDB:DBTDEOKV:PDB1 MEK first

Create a wallet for CDB02

[CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet create --generate-json-input > create_db_wallet_CDB02.json
[CDB02][oracle@db json]$ cat create_db_wallet_CDB02.json
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "create",
    "options" : {
      "wallet" : "ORA_CLONES",
      "type" : "GENERAL",
      "description" : "Wallet for Oracle Clones"
    }
  }
}

[CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet create --from-json create_db_wallet_CDB02.json
{
  "result" : "Success"
}

Set the default wallet for CDB02

[CDB02][oracle@db json]$ okv manage-access wallet set-default --generate-json-input > set_default_wallet_CDB02.json


[CDB02][oracle@db json]$ cat set_default_wallet_CDB02.json
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "set-default",
    "options" : {
      "wallet" : "ORA_CLONES",
      "endpoint" : "DB_CDB02",
      "unique" : "FALSE"
    }
  }
}

[CDB02][oracle@db json]$ okv manage-access wallet set-default --from-json set_default_wallet_CDB02.json
{
  "result" : "Success"
}

# test 
[CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet get-default --endpoint DB_CDB02
{
  "result" : "Success",
  "value" : {
    "defaultWallet" : "ORA_CLONES"
  }
}

# list wallets access for endpoint DB_CDB02
[CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet list-endpoint-wallets --endpoint DB_CDB02
{
  "result" : "Success",
  "value" : {
    "wallets" : [ "ORA_CLONES", "ORA_DB" ]
  }
}

REKEY operation

[CDB02][oracle@db json]$ sqlplus / as sysdba 

-- list all keys for CDB02
SQL> set line 200
SQL> col key_id format a40;
SQL> select KEY_ID, KEYSTORE_TYPE,CREATION_TIME from V$ENCRYPTION_KEYS;

KEY_ID                                   KEYSTORE_TYPE	   CREATION_TIME
---------------------------------------- ----------------- ----------------------------
066477563C41354F9ABFFD71C439728D90	 OKV		   12-MAR-24 11.38.29.789446 AM +00:00
06389A1CCF31E64F17BFC1101D9700F83E	 OKV		   12-MAR-24 11.53.46.361951 AM +00:00
064A92E70C7DBB4FBCBFDE46A9226CFB0A	 OKV		   12-MAR-24 11.53.45.932774 AM +00:00
06FED2B8DA29444F57BF11BB545ED7E60D	 OKV		   12-MAR-24 11.20.59.949238 AM +00:00 

SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY FORCE KEYSTORE IDENTIFIED BY "endpoint_password" container=all;

Remove access from CDB01 wallet:

[CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet remove-access --generate-json-input > remove_access_walet_CDB02.json

[CDB02][oracle@db json]$ cat remove_access_walet_CDB02.json
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-access",
    "options" : {
      "wallet" : "ORA_DB",
      "endpoint" : "DB_CDB02"
    }
  }
}

[CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet remove-access --from-json remove_access_walet_CDB02.json
{
  "result" : "Success"
}

[CDB02][oracle@db json]$ /opt/oracle/admin/CDB02/wallet/okv/bin/okvutil list
Enter Oracle Key Vault endpoint password:
Unique ID                               Type            Identifier
1B382343-A786-4F26-BFF9-35A8329A327C	Symmetric Key	TDE Master Encryption Key: MKID 0612F89A18C7984F27BF571A0420C58025
52B62409-6E8D-4F6F-BF08-F7DD73EC1938	Symmetric Key	TDE Master Encryption Key: MKID 06A9FD621A85A74F46BFD88BEB6082B9EB
2DE4025E-CF35-454D-9F60-33640DAAC067	Template	Default template for DB_CDB02

-- restart CDB02 to test if the database open withouth any issue
SQL> startup force

SQL> @$HOME/tde.sql

    PDB_ID PDB_NAME		GUID
---------- -------------------- --------------------------------
	 3 PDB01		0AE3AEC4EE5ACDB1E063A001A8ACB8BB
	 2 PDB$SEED		0AE38C7FF01EC651E063A001A8AC821E


WRL_TYPE    WRL_PARAMETER                       STATUS             WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC     CON_ID
----------- ----------------------------------- ------------------ ----------- --------- -------- --------- ----------
FILE        /opt/oracle/admin/CDB02/wallet/tde/ OPEN_NO_MASTER_KEY AUTOLOGIN   SINGLE      NONE       UNDEFINED          1
OKV                                             OPEN               OKV         SINGLE      NONE       UNDEFINED          1
FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN   SINGLE      UNITED     UNDEFINED          3
OKV                                             OPEN               OKV         SINGLE      NONE       UNDEFINED          3

Database CDB02 open correctly.

List the accessible keys for CDB02:

[CDB02][oracle@db json]$ /opt/oracle/admin/CDB02/wallet/okv/bin/okvutil list
Enter Oracle Key Vault endpoint password:
Unique ID                               Type            Identifier
1B382343-A786-4F26-BFF9-35A8329A327C	Symmetric Key	TDE Master Encryption Key: MKID 0612F89A18C7984F27BF571A0420C58025
2DE4025E-CF35-454D-9F60-33640DAAC067	Template	Default template for DB_CDB02

List the wallets accessible for CDB02:

[CDB02][oracle@db json]$ $OKV_HOME/bin/okv manage-access wallet list-endpoint-wallets --endpoint DB_CDB02
{
  "result" : "Success",
  "value" : {
    "wallets" : [ "ORA_CLONES" ]
  }
}

CDB02 has no more access to the CD01 wallet.

Conclusion

If the database is not configured with OKV, after a REKEY operation the wallet file, stored on local disk, must be saved. When the database is configured with OKV when a REKEY operation is issued we have to do …. nothing. The keys are automatically stored in OKV database without any intervention. Just only one remark. The endpoint, in our example DB_CDB02, need to have a default wallet configured. Otherwise the keys will not belongs to any wallet. That doesn’t mean that the CDB02 database cannot access them, but having keys outside wallets in OKV, increase the maintenance operations.


Share on