• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Understanding Transparent Data Encryption and Keystores in RAC

by admin

Transparent Data Encryption and Keystores in RAC

Transparent Data Encryption and Keystores in RAC

Oracle Database enables RAC nodes to share the keystore (wallet). This eliminates the need to manually copy and synchronize the keystore across all nodes. Oracle recommends that you create the keystore on a shared file system. This allows all instances to access the same shared keystore. Oracle RAC uses keystores in the following ways:

  1. Any keystore operation, such as opening or closing the keystore, performed on any one Oracle RAC instance is applicable for all other Oracle RAC instances. This means that when you open and close the keystore for one instance, then it opens and closes the keystore for all Oracle RAC instances.
  2. When using a shared file system, ensure that the ENCRYPTION_WALLET_LOCATION parameter for all Oracle RAC instances points to the same shared keystore location. The security administrator must also ensure security of the shared keystore by assigning appropriate directory permissions.
  3. A master key rekey performed on one instance is applicable for all instances. When a new Oracle RAC node comes up, it is aware of the current keystore open or close status.
  4. Do not issue any keystore ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN or CLOSE SQL statements while setting up or changing the master key.

Deployments, where shared storage does not exist for the keystore, require that each Oracle RAC node maintain a local keystore. After you create and provision a keystore on a single node, you must copy the keystore and make it available to all of the other nodes, as follows:

  • For systems using Transparent Data Encryption with encrypted keystores, you can use any standard file transport protocol, though Oracle recommends using a secured file transport.
  • For systems using Transparent Data Encryption with auto-login keystores, file transport through a secured channel is recommended.

To specify the directory in which the keystore must reside, set the ENCRYPTION_WALLET_LOCATION parameter in the sqlnet.ora file. The local copies of the keystore need not be synchronized for the duration of Transparent Data Encryption usage until the server key is re-keyed through the ADMINISTER KEY MANAGEMENT SET KEY SQL statement. Each time you issue the ADMINISTER KEY MANAGEMENT SET KEY statement on a database instance, you must again copy the keystore residing on that node and make it available to all of the other nodes. Then, you must close and reopen the keystore on each of the nodes. To avoid unnecessary administrative overhead, reserve re-keying for exceptional cases where you believe that the server master key may have been compromised and that not re-keying it could cause a serious security problem.

Note: If Oracle Automatic Storage Management Cluster File System (Oracle ACFS) is available for your operating system, then Oracle recommends that you store the keystore in Oracle ACFS.

Filed Under: oracle, oracle 12c, RAC

Some more articles you might also be interested in …

  1. How To Find Creation Time of Oracle Pluggable Database (PDB)
  2. Oracle 12c New Feature – Multi-Threaded architecture of processes
  3. How to trace asmcmd command on UNIX/Linux
  4. How to determine the required archivelog files needed for a guaranteed restore point before running flashback database
  5. How to move spfile from ASM to filesystem
  6. How to get the Values Assigned by Default to a Profile in Oracle Database
  7. Oracle Home Relinking Interview Questions and Answers
  8. How to move ASM spfile from External Redundancy To Normal Redundancy in version 12.1.0.2 and above
  9. ORA-00904: invalid identifier
  10. How to Roll Forward a standby database using RMAN incremental backup in 11g

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright