Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 536.4K On-Premises Infrastructure
- 138.3K Analytics Software
- 38.6K Application Development Software
- 5.8K Cloud Platform
- 109.5K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71.1K Infrastructure Software
- 105.3K Integration
- 41.6K Security Software
tde heartbeat with hsm gets disconnected
We are attempting to configure TDE to work with nCipher connect+ HSM(hardware security module) to store the keys. We are using version 18.10.0.0.200414 of the db on Windows 2016 server and v12.3 of the nCipher software. We've followed both the oracle docs(advanced security manual) and the nCipher instructions to perform configuration and it works as long as we don't exit the sqlplus session. Once we exit sqlplus the db loses connectivity with the HSM and we get the error below in the alert.log.
kzthsmcc3: HSM heartbeat died. Likely the connection
has been lost. PKCS11 function C_EncryptInit returned
PKCS11 error code: 400
HSM connection lost, closing wallet
kzthsmterm: C_CloseSession threw PKCS#11 error 400
kzthsmterm: C_Finalize threw PKCS11 error 400
This are the commands we ran:
Installed the nCipher keysafe v1.30.1 client software on the windows 2016 db server.
Created dir and copied dll to here:
C:\oracle\extapi\32\hsm\nCipher\v12.30\libcknfast.dll
In sqlplus session, we connect to the local db then issue:
alter system set WALLET_ROOT='E:\app\oracle\admin\common\wallets\<SID_NAME>' scope=spfile;
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=spfile ;
bounced the db
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "hardware_keystore_password";
keystore altered.
SQL>
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC
------------------------------ -------------------- --------- -------- ---------
CON_ID
----------
HSM
OPEN HSM SINGLE NONE UNDEFINED
0
Set HSM master encryption key:
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "hardware_keystore_credentials";
Command succeeds, I can see new key created on HSM dashboard but when we exit sql*plus I see error in alert.log and when I log back into sqlplus it shows the wallet is closed. We've tried creating auto login wallet but it still gives same error after exiting sql*plus. Any ideas on what is causing loss of connection to HSM?
Answers
-
Hello There ,
If you are sure about the HSM availability (Up from the network side) then , Please check out the following and i can share the master support Note if needed ,
Oracle Key Vault Known Issues
1) The CA certificates for Oracle Key Vault Server expire, causing endpoints to be unable to connect (as they authenticate over TLS)
To check the validity of the existing server certificates, login to Oracle Key Vault Server as the support user.
Switch to the root user and run the following:# cd /usr/local/okv/ssl/
# openssl x509 -in CA.pem -text
# cd server_cert/ssl
# openssl x509 -in cert.pem -textSolution: Contact Support to assist in regenerating the server certificates for Oracle Key Vault Server.
Once the new CA certificates have been obtained, all endpoints must be re-enrolled.
An Enhancement Request exists: Bug 29013465 - EXTERNALIZE A FEATURE TO REGENERATE OR EXTEND CA CERTIFICATES OF OKV SERVER
-
Hanny,
Thanks for your reply. We are not using Oracle key vault so I'm not sure that this would still apply to our situation.