Forum Stats

  • 3,838,840 Users
  • 2,262,405 Discussions
  • 7,900,767 Comments

Discussions

tde heartbeat with hsm gets disconnected

Flabbergasted George
Flabbergasted George Member Posts: 16 Red Ribbon
edited Sep 8, 2020 11:08AM in Database Security - General

We are attempting to configure TDE to work with nCipher connect+ HSM(hardware security module) to store the keys.  We are using version 18.10.0.0.200414 of the db on Windows 2016 server and v12.3 of the nCipher software.  We've followed both the oracle docs(advanced security manual) and the nCipher instructions to perform configuration and it works as long as we don't exit the sqlplus session.  Once we exit sqlplus the db loses connectivity with the HSM and we get the error below in the alert.log.

kzthsmcc3: HSM heartbeat died. Likely the connection

has been lost. PKCS11 function C_EncryptInit returned

PKCS11 error code: 400

HSM connection lost, closing wallet

kzthsmterm: C_CloseSession threw PKCS#11 error 400

kzthsmterm: C_Finalize threw PKCS11 error 400

This are the commands we ran:

Installed the nCipher keysafe v1.30.1 client software on the windows 2016 db server.

Created dir and copied dll to here:

C:\oracle\extapi\32\hsm\nCipher\v12.30\libcknfast.dll

In sqlplus session, we connect to the local db then issue:

alter system set WALLET_ROOT='E:\app\oracle\admin\common\wallets\<SID_NAME>' scope=spfile;

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=spfile ;

bounced the db

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN  IDENTIFIED BY "hardware_keystore_password";

keystore altered.

SQL>

SQL> select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS                         WALLET_TYPE          WALLET_OR KEYSTORE FULLY_BAC

------------------------------ -------------------- --------- -------- ---------

    CON_ID

----------

HSM

OPEN                           HSM                  SINGLE    NONE     UNDEFINED

         0

Set HSM master encryption key:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "hardware_keystore_credentials";

Command succeeds, I can see new key created on HSM dashboard but when we exit sql*plus I see error in alert.log and when I log back into sqlplus it shows the wallet is closed.  We've tried creating auto login wallet but it still gives same error after exiting sql*plus.  Any ideas on what is causing loss of connection to HSM?

Hany Ezzat -Oracle

Answers

  • Hany Ezzat -Oracle
    Hany Ezzat -Oracle Member Posts: 90 Employee
    edited Sep 6, 2020 10:37AM

    Hello There ,

    If you are sure about the HSM availability (Up from the network side) then , Please check out the following and i can share the master support Note if needed ,

    Oracle Key Vault Known Issues

     

    1)  The CA certificates for Oracle Key Vault Server expire, causing endpoints to be unable to connect (as they authenticate over TLS)

    To check the validity of the existing server certificates, login to Oracle Key Vault Server as the support user.
    Switch to the root user and run the following:

    # cd /usr/local/okv/ssl/
    # openssl x509 -in CA.pem -text
    # cd server_cert/ssl
    # openssl x509 -in cert.pem -text

    Solution:  Contact Support to assist in regenerating the server certificates for Oracle Key Vault Server.

        Once the new CA certificates have been obtained, all endpoints must be re-enrolled.

         An Enhancement Request exists: Bug 29013465 - EXTERNALIZE A FEATURE TO REGENERATE OR EXTEND CA CERTIFICATES OF OKV SERVER

  • Flabbergasted George
    Flabbergasted George Member Posts: 16 Red Ribbon
    edited Sep 8, 2020 11:08AM

    Hanny,

    Thanks for your reply.  We are not using Oracle key vault so I'm not sure that this would still apply to our situation.