nCipher Modules

Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

www.thalesgroup.com/iss

Version: Date:

1.2 9 August 2011

Copyright 2011 Thales e-Security Limited. All rights reserved. Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which it is supplied. CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of Thales e-Security Limited. CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra, nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited. All other trademarks are the property of the respective trademark holders. Information in this document is subject to change without notice. Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material. These installation instructions are intended to provide step-by-step instructions for installing Thales software with third-party software. These instructions do not cover all situations and are intended as a supplement to the documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale.

Date: 2011

09 August 2011

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

nShiNov10

Version:

1.2

Contents

Chapter 1:

Introduction
Supported nCipher functionality Requirements

4
5 5

Chapter 2:

Procedures
Installing Oracle Database 11g Release 2 Installing the HSM Installing the support software and configuring the HSM Configuring Oracle Database 11g TDE to use the HSM

7
7 8 8 9

Chapter 3: Addresses

Troubleshooting

14 15

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

Chapter 1: Introduction

This guide explains how to integrate Oracle Database 11g Release 2 Transparent Data Encryption (TDE) with a Thales nCipher Hardware Security Module (HSM). The instructions in this document have been thoroughly tested and provide a straight-forward integration process. There may be other untested ways to achieve interoperability. This document may not cover every step in the process of setting up all the software. This document assumes that you have read your HSM documentation and that you are familiar with the documentation and setup process for Oracle Database 11g Release 2 TDE. For more information about using Oracle Database 11g Release 2 TDE, see: http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asotrans.htm#ASOAG60 0 Oracle Database 11g Release 2 TDE transparently encrypts data that is stored in the Oracle database, without requiring any changes to the application that runs on top of the database. It supports both TDE tablespace encryption and TDE column encryption. The HSM secures the unified TDE master encryption key, which is used to encrypt and decrypt the tablespace keys for encrypted tablespaces, and table keys for encrypted application table columns. The HSM is used in place of the Oracle Wallet to provide a higher level of security assurance, including: Centralized storage and management of the master encryption key(s). Full life cycle management of the master encryption key(s). Highest level of security assurance, the keys never leave the HSM as plain text. FIPS 140-2 level 3 validated hardware. Failover support.

Depending on your current Oracle setup, you can use this document to either: Create and start using a new HSM-protected wallet (if you are not using an Oracle Wallet). Migrate from an existing Oracle Wallet to an HSM-protected wallet. The Oracle Wallet can be the default database wallet shared with the other components of the Oracle database or a separate wallet specifically used by TDE. When using Oracle TDE, Oracle recommends that you use a separate wallet to store the master encryption key. See the Oracle documentation for more information.

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

Supported nCipher functionality

The integration between the HSM and TDE uses the PKCS #11 cryptographic API. The integration has been successfully tested in the following configurations:
Operating system Thales nCipher software version 11.50 11.40 11.40 11.40 11.40 Oracle Database version 11.2.0.2.0 11.2.0.1.0 11.2.0.1.0 11.2.0.1.0 11.2.0.1.0 nShield Solo support Yes Yes Yes Yes Yes netHSM support nShield Connect support

Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 5 Solaris 10 for SPARC systems IBM AIX 5.3 IBM AIX 6.1

Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Additional documentation produced to support your Thales nCipher product can be found in the document directory of the CD-ROM or DVD-ROM for that product.
Note Throughout this guide, the term HSM refers to nShield Solo modules, netHSM, and nShield Connect products. (nShield Solo products were formerly known as nShield.)

Supported nCipher functionality

Key Generation Key Management Key Import Key Recovery Yes Yes Yes 1-of-N Operator Card Set K-of-N Operator Card Set Softcards Module-only Key Yes Yes Yes Strict FIPS Support Load Sharing Fail Over Yes Yes Yes

Requirements
Before you begin the integration process: Read the Quick Start Guide or User Guide for your HSM. Familiarize yourself with the setup procedures for Oracle Database 11g Release 2 TDE.

Before running the setup program, you need to know: The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards. Whether the application keys are to be protected by the module, softcard or Operator Card Set (OCS). The number and quorum of Operator Cards in the OCS (only 1 of N is supported), and the policy for managing these cards.

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

Requirements

Whether the security world needs to be compliant with FIPS 140-2 level 3.

This integration requires Oracle Database 11g Release 2 (11.2.0.1.0 or 11.2.0.2.0) to be installed with the following Oracle patches applied:
Patch Unique patch ID Bugs fixed 9229896 for 11.2.0.1.0. 10098816 for 11.2.0.2.0. 12118360 for 11.2.0.1.0. 1123404322 for 11.2.0.2.0. 8909973: TDE cannot support multi-token HSMs. 9034189: TDE with HSM race condition.

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

Chapter 2: Procedures

To integrate Oracle Database 11g Release 2 TDE with an HSM: 1 2 3 4 Install Oracle Database 11g Release 2 and apply patch. Install the HSM. Install the nCipher software and configure the HSM. Configure Oracle Database 11g Release 2 TDE to use the HSM.

All these procedures are described in the following sections.

Installing Oracle Database 11g Release 2

To install Oracle Database 11g Release 2: 1 2 Download and unzip the appropriate Oracle distribution for your operating system. Set environment variables ORACLE_BASE, ORACLE_HOME, PATH, TNS_ADMIN and ORACLE_SID according to your environment, for example:

ORACLE_SID=<database_name>; export ORACLE_SID; ORACLE_BASE=/home/oracle/app; export ORACLE_BASE; ORACLE_HOME=$ORACLE_BASE/product/11.2.0/dbhome_1; export ORACLE_HOME; PATH=$PATH:$ORACLE_HOME/bin; export PATH; TNS_ADMIN=$ORACLE_HOME/network/admin; export TNS_ADMIN;

Note

Ensure that ORACLE_SID is at least eight alphanumeric characters long.

Ensure that the prerequisite configuration is complete according to Oracle documentation at: http://www.oracle.com/pls/db112/portal.portal_db?selected=11&frame=

4 Navigate to the installation folder and execute ./runInstaller to start the installation process and install the database software only.

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

Installing the HSM

Download and unzip patch 9229896 or 10098816 for the appropriate distribution and refer to the readme.txt file to use OPatch to install the patch. Run opatch lsinventory to verify the patch afterwards. Run dbca to create a database and select the option to add the sample schemas on step 8 of the dbca wizard. When asked for the ORACLE_SID, use the one you specified in step 2. The sample schemas and user accounts are used to test TDE with an HSM.

Installing the HSM

Install the HSM using the instructions in the documentation for the HSM. We recommend that you install the HSM before configuring the nCipher software.

Installing the support software and configuring the HSM

To install the Thales nCipher support software and configure the HSM: 1 Install the latest version of the support software and create a security world as described in the User Guide for the HSM.
Note We recommend that you uninstall any existing Thales nCipher software before installing the new software.

Create or edit the cknfastrc file located in the /opt/nfast directory, and depending on how you want to protect the master encryption key, set one of the following environment variables: OCS or softcard key protection:

CKNFAST_LOADSHARING=1

Module-only key protection:

CKNFAST_FAKE_ACCELERATOR_LOGIN=1

For more information, see the PKCS #11 library environment variables in the User Guide for the HSM. 3 Initialize a security world.

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

Configuring Oracle Database 11g TDE to use the HSM

For OCS protection, create a 1 of N card set, following the instructions in the User Guide for the HSM. Ensure that your Operator Card or softcard pass phrase has a minimum of eight alphanumeric characters. You must create a softcard for softcard protection; see the User Guide for the HSM for more information.

Configuring Oracle Database 11g TDE to use the HSM

To configure Oracle Database 11g Release 2 TDE to use the HSM: 1 Copy the PKCS #11 library located at /opt/nfast/toolkits/pkcs11/libcknfast-64.so (or libcknfast.so depending on your OS architecture) to one of the following locations:
/opt/oracle/extapi/32/hsm/libcknfast.so /opt/oracle/extapi/64/hsm/libcknfast-64.so /opt/oracle/extapi/64/hsm/libcknfast-64.so

Red Hat Enterprise Linux 5 (x86) Solaris 10 SPARC (64-bit) IBM AIX (PPC64)

Ensure that the directory exists and that oracle:oinstall is the owner:group of the directory with read and write access. 2 3 Add the oracle user to group nfast. You can verify this addition by looking at the entry for the nfast group in /etc/group. In the $TNS_ADMIN/sqlnet.ora file add or edit the following lines, depending on whether you are migrating from an Oracle Wallet:
ENCRYPTION_WALLET_LOCATION =(SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/$ORACLE_SID/wallet/))) ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM))

Migrating from an Oracle Wallet

Not migrating

Log into the database using the following commands: In the UNIX command shell:

sqlplus / as sysdba

In sqlplus (at the SQL> prompt):

connect / as sysdba

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

Configuring Oracle Database 11g TDE to use the HSM

Create the master encryption key inside the HSM using one of the following commands, depending on how you want to protect the key and whether you are migrating from an Oracle Wallet: OCS key protection:
alter system set encryption key identified by OCS_pass_phrase|OCS_name migrate using wallet_password; alter system set encryption key identified by OCS_pass_phrase|OCS_name;

Migrating from an Oracle Wallet Not migrating

OCS key protection requires an OCS to be inserted into the module slot. You must specify |OCS_name after the pass phrase to identify a particular OCS in the security world. In the cknfastrc file, you must set CKNFAST_LOADSHARING=1. Softcard key protection:
alter system set encryption key identified by softcard_pass_phrase|softcard_name migrate using wallet_password; alter system set encryption key identified by softcard_pass_phrase|softcard_name;

Migrating from an Oracle Wallet Not migrating

For softcard key protection, you must specify |softcard_name after the pass phrase to identify a particular softcard in the security world. In the cknfastrc file, you must set CKNFAST_LOADSHARING=1. Module-only key protection:
alter system set encryption key identified by module_pass_phrase migrate using wallet_password; alter system set encryption key identified by module_pass_phrase;

Migrating from an Oracle Wallet Not migrating

Module-only key protection accepts any given pass phrase. In the cknfastrc file, you must set CKNFAST_FAKE_ACCELERATOR_LOGIN=1. The pass phrase must be at least eight alphanumeric characters long. The wallet_password is the password for the Oracle Wallet. 6 To verify that the master encryption key has been created, run /opt/nfast/bin/cklist. You should see the following PKCS #11 keys:
ORACLE.TDE.HSM.MK.key_hash ORACLE.TDE.HSM.MK.key_hash ORACLE.TSE.HSM.MK.key_hash

Migrating from an Oracle Software Wallet Not migrating

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

10

Configuring Oracle Database 11g TDE to use the HSM

If you migrated from an Oracle Software Wallet: In the UNIX command shell, use an orapki command similar to the following command to alter the Oracle Wallet pass phrase to match the new pass phrase:

orapki wallet change_pwd -wallet "/home/oracle/app/admin/your_test_database_name/wallet/ ewallet.p12" oldpwd "wallet_password" newpwd "OCS_pass_phrase|OCS_name"

This example is for OCS key protection. For softcard key protection, use softcard_pass_phrase|softcard_name. For module-only key protection, use module_pass_phrase. Navigate to the Oracle Wallet ewallet.p12 and rename it to ewallet.p12.old. This stops Transparent Data Encryption opening the software wallet. It is important that you keep this Oracle Wallet. 8 To use tablespace encryption and column encryption using the HSM, we recommend that you first create an encrypted tablespace using the following command and then proceed with column-level encryption:

CREATE TABLESPACE securespace1 DATAFILE '$ORACLE_BASE/oradata/$ORACLE_SID/secure01.dbf' SIZE 10M ENCRYPTION using AES256 DEFAULT STORAGE(ENCRYPT);

9 Create a table inside the tablespace by using the command:

CREATE TABLE customer_payment_info (first_name VARCHAR2(11), last_name VARCHAR2(10), order_number NUMBER(5), credit_card_number VARCHAR2(16), active_card VARCHAR2(3))TABLESPACE securespace1;

10 Insert values into the table by using commands similar to the following example commands:
INSERT INTO INSERT INTO INSERT INTO INSERT INTO commit; customer_payment_info customer_payment_info customer_payment_info customer_payment_info VALUES VALUES VALUES VALUES ('Mike', 'Hellas', 10001, '5446959708812985','YES'); ('Peter', 'Burton', 10002, '5122358046082560','YES'); ('Mary', 'Banker', 10003, '5595968943757920','YES'); ('Holly', 'Mayers', 10004, '4929889576357400','YES');

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

11

Configuring Oracle Database 11g TDE to use the HSM

11 Check the encrypted tablespace by using the command:

select tablespace_name, encrypted from dba_tablespaces;

12 To list the values in the encrypted tablespace in plain text, use the command:
select * from customer_payment_info;

13 Encrypt the credit_limit column of the CUSTOMERS table, which is owned by the user OE, using the command:
alter table oe.customers modify (credit_limit encrypt);

14 To list the values in the encrypted column in plain text, use the command:
select credit_limit from oe.customers where rownum <15;

15 To list the encrypted columns in your database, use the command:

select * from dba_encrypted_columns;

16 To list information about the wallet, use the command:

select * from v$encryption_wallet;

17 To rotate the TDE master encryption key, use the command:

alter system set encryption key identified by pass_phrase;

This creates another ORACLE.TDE.HSM.MK.key_hash master encryption key in the /opt/nfast/kmdata/local directory, which you can see by running /opt/nfast/bin/cklist.
Note The pass_phrase is the pass phrase that you used when creating the master encryption key in step 5. The tablespace encryption key cannot be rotated; a work around is to move the data into a new encrypted tablespace.

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

12

Configuring Oracle Database 11g TDE to use the HSM

18 Close the wallet and exit sqlplus, by using the commands:

alter system set encryption wallet close identified by pass_phrase; exit

You do not need to specify the OCS or softcard name when closing the wallet. 19 Open the wallet by logging into the database and using the following command: OCS key protection:

alter system set encryption wallet open identified by OCS_pass_phrase|OCS_name;

Softcard key protection:

alter system set encryption wallet open identified by softcard_pass_phrase|softcard_name;

Module-only key protection:

alter system set encryption wallet open identified by module_pass_phrase;

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

13

Chapter 3: Troubleshooting

The following table provides troubleshooting guidelines.

Error message
ORA-28376: cannot find PKCS11 library

Resolution Check the library path is set correctly, for example:/opt/oracle/extapi/64/hsm/libcknfast-64.so Ensure that oracle:oinstall is the owner:group of this directory, with read and write access. Ensure that the HSM wallet pass phrase is correct. Ensure that if OCS/softcard key protection is used, the name and pass phrase are correct and are separated by a |, for example:softcard_pass_phrase|softcard_name Ensure that you have added user oracle to group nfast. In some cases you may have to re-login with the oracle user for this to take effect. Ensure that if a strict FIPS 140-2 level 3 security world is in use, an OCS is inserted into the HSM slot when creating the master encryption key.

ORA-28353: failed to open wallet

ORA-00600: internal error code, arguments: [kzthsmgmk: C_GenerateKey], [6], [],[], [], [], [], [] ORA-00600: internal error code, arguments: [kzthsmgmk: C_GenerateKey], [2147483872], [], [], [], [], [], [], [], [], [], []

nCipher Modules: Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption 1.2

14

Addresses

Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA Tel: +1 888 744 4976 or + 1 954 888 6200 sales@thalesesec.com

Europe, Middle East, Africa

Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK Tel: + 44 (0)1844 201800 emea.sales@thales-esecurity.com

Asia Pacific
Units 4101, 41/F. 248 Queens Road East, Wanchai, Hong Kong, PRC Tel: + 852 2815 8633 asia.sales@thales-esecurity.com

Internet addresses
Web site: Support: Online documentation: International sales offices: www.thalesgroup.com/iss http://iss.thalesgroup.com/en/Support.aspx http://iss.thalesgroup.com/Resources.aspx http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx