PKCS#11 HSM support for Transparent Data Encryption
595692Sep 2 2007 — edited Nov 14 2007Hi,
I'm trying to get a PKCS#11 HSM working with TDE with little luck.
I have installed Oracle 11gR1 (recent release version) on a Linux VM running Red Hat Application Server 4. The sqlnet.ora file contains
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
and the PKCS#11 implementation dll exists at
/opt/oracle/extapi/32/hsm/RSA/1.8.0/libp11s.so
as per the documentation.
In sqlplus, after starting the DB, I issue the command
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "user:1234";
but this fails with
ERROR at line 1: ORA-28353: failed to open wallet.
and it appears the PKCS#11 dll is never even loaded.
TDE works fine when I use a local wallet (P12)
Is there anything else I need to do to get a PKCS#11 HSM to be used to store the TDE master key? Also, why does a username have to be specified, when PKCS#11 only requires a slot number and PIN. How does oracle know which PKCS#11 driver to load if there are multiple under /opt/oracle/extapi/32/hsm/... ?
Thanks very much,
Owen Roberts