Hallo
I have configured my Pluggable database to use Transparent Data Encryption in ISOLATED MODE by setting tde_configuration="keystore_configuration=file" from each PDB. I have also set the WALLET_ROOT from the cbd to /oracle/admin/TDETEST/tde_wallet/ where I have created the tde_wallet directory. I have created a keystore for each PDB and set Master Key in their keystores. For opening the keystores later which I have created as follows:
SQL> alter session set container="mypdb1";
Session wurde geandert.
SQL> administer key management set keystore open identified by mypdb1keystorepassword;
Keystore geandert.
SQL> alter session set container="mypdb2";
Session wurde geandert.
SQL> administer key management set keystore open identified by mypdb2keystorepassword;
Keystore geandert.
I would like to store the passwords of the keystore in a SEPS Secure External Password Store so that I can open the keystores with the clause: IDENTIFIED BY EXTERNAL STORE. I have read about how the parameter EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION needs to be set. My question is, if I have configured TDE in isolated mode, do I have to set the EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION parameter from each PDB to store their keystore passwords? I tried doing that but I get an error saying the parameter cannot be changed.
Daniel Overby Hansen has shown here
https://dohdatabase.files.wordpress.com/2020/09/tde-from-a-non-security-guy.pdf how to add secret to the Secure External Password Store with ‘TDE_WALLET’ as client. I have set a password for my cdb keystore in the cbd where I have set a secret for the TDE_WALLET client that worked. But when I try to add secret “mypdb1password” with “TDE_WALLET” as client from the mypdb1, it says client already has a secret.
Here are my questions:
Can I store the passwords of the isolated keystores at EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION? How?
Under which client name should the secrets be created when I want the isolated keystore to be opened through SEPS?
If secrets are stored at EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION, how does oracle know which keystore has which password?
Here is a tree structure of the tde wallet:
[oracle@v01edv13 tde_wallet]$ tree /oracle/admin/TDETEST/tde_wallet/;
/oracle/admin/TDETEST/tde_wallet/
├── FEB75BB18DE8670CE053844113ACC127
│ └── tde
│ └── ewallet.p12
├── FEB75BB18DEA670CE053844113ACC127
│ └── tde
│ └── ewallet.p12
└── tde
├── cwallet.sso
└── ewallet.p12Does it make any difference if i set EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION to any other location?
Thank you so much!
I spoke to security expert Peter Wahl for his input on this one (you should check out the regular Security Office Hours sessions so you could chat to these folks directly)
EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION is only needed in 12.2.0.1 to enable "IBES" ("identified by EXTERNAL STORE") without WALLET_ROOT (which was introduced in 18c)
In 18c and later:
1. In CDB$ROOT
a. set WALLET_ROOT and TABLESPACE ENCRYPTION; (bounce DB), then TDE_CONFIGURATION to FILE
b. "AKM create keystore container = current;" (without specifying a directory) automatically creates <WALLET_ROOT>/tde directory and the keystore
c. Manually create <WALLET_ROOT>/tde_seps and add the keystore password like so to enable IBES:
AKM add secret 'wallet-pwd' for client 'TDE_PASSWORD' to [local] auto_login keystore '<WALLET_ROOT>/tde_seps';
2. In the PDB:
a. If "AKM set key"; that key can only go in the CDB$ROOT wallet ==> united PDB
b. if "AKM create keystore;" (without specifying a directory) that can only mean that PDB's own keystore ==> isolated PDB
i. automatically creates <WALLET_ROOT>/<PDB_GUID>/tde directory and the isolated keystore
ii. set TDE_CONFIGURATION to FILE for the PDB (in united PDBs, show parameter TDE_CONFIG is empty because it's inherited from the CDB$ROOT)
iii. Manually create <WALLET_ROOT>/<PDB_GUID>/tde_seps and add the keystore password like so to enable IBES:
AKM add secret 'wallet-pwd' for client 'TDE_PASSWORD' to [local] auto_login keystore '<WALLET_ROOT>/<PDB_GUID>/tde_seps';