• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Understanding Transparent Data Encryption and Keystores in RAC

by admin

Transparent Data Encryption and Keystores in RAC

Transparent Data Encryption and Keystores in RAC

Oracle Database enables RAC nodes to share the keystore (wallet). This eliminates the need to manually copy and synchronize the keystore across all nodes. Oracle recommends that you create the keystore on a shared file system. This allows all instances to access the same shared keystore. Oracle RAC uses keystores in the following ways:

  1. Any keystore operation, such as opening or closing the keystore, performed on any one Oracle RAC instance is applicable for all other Oracle RAC instances. This means that when you open and close the keystore for one instance, then it opens and closes the keystore for all Oracle RAC instances.
  2. When using a shared file system, ensure that the ENCRYPTION_WALLET_LOCATION parameter for all Oracle RAC instances points to the same shared keystore location. The security administrator must also ensure security of the shared keystore by assigning appropriate directory permissions.
  3. A master key rekey performed on one instance is applicable for all instances. When a new Oracle RAC node comes up, it is aware of the current keystore open or close status.
  4. Do not issue any keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN or CLOSE SQL statements while setting up or changing the master key.

Deployments, where shared storage does not exist for the keystore, require that each Oracle RAC node maintain a local keystore. After you create and provision a keystore on a single node, you must copy the keystore and make it available to all of the other nodes, as follows:

  • For systems using Transparent Data Encryption with encrypted keystores, you can use any standard file transport protocol, though Oracle recommends using a secured file transport.
  • For systems using Transparent Data Encryption with auto-login keystores, file transport through a secured channel is recommended.

To specify the directory in which the keystore must reside, set the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file. The local copies of the keystore need not be synchronized for the duration of Transparent Data Encryption usage until the server key is re-keyed through the ADMINISTER KEY MANAGEMENT SET KEY SQL statement. Each time you issue the ADMINISTER KEY MANAGEMENT SET KEY statement on a database instance, you must again copy the keystore residing on that node and make it available to all of the other nodes. Then, you must close and reopen the keystore on each of the nodes. To avoid unnecessary administrative overhead, reserve re-keying for exceptional cases where you believe that the server master key may have been compromised and that not re-keying it could cause a serious security problem.

Note: If Oracle Automatic Storage Management Cluster File System (Oracle ACFS) is available for your operating system, then Oracle recommends that you store the keystore in Oracle ACFS.

Filed Under: oracle, oracle 12c, RAC

Some more articles you might also be interested in …

  1. What are Command Rules in oracle Database
  2. How to use Privilege Analysis in Oracle Database
  3. How to Start/Stop/Relocate SCAN listener in Oracle 11gR2 RAC
  4. What are Lexical Units in a PL/SQL Block
  5. List of OCFS2 threads
  6. How to Move tables and indexes to a different tablespace
  7. How to Clone PDB With Oracle Key Vault (OKV)
  8. ORA-27125: unable to create shared memory segment; Error: 28: No space left on device
  9. How to switch roles in Oracle Data Guard
  10. How to Termibate a Session on a Specific Instance of Oracle RAC

You May Also Like

Primary Sidebar

Recent Posts

  • qm Command Examples in Linux
  • qm wait Command Examples in Linux
  • qm start Command Examples in Linux
  • qm snapshot Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright