Using Fortanix Data Security Manager with Oracle TDE for Exadata Cloud@Customer (ExaCC)

1.0 Introduction

This article describes how to integrate and migrate Oracle Transparent Data Encryption (TDE) keys on Exadata Cloud@Customer (ExaCC) to Fortanix-Data-Security-Manager (DSM).

Oracle TDE on ExaCC protects data at rest-including datafiles and backups using a robust two-tier key hierarchy consisting of Data Encryption Keys (DEKs) and a Master Encryption Key (MEK). By default, TDE stores the master key in a local file-based wallet. Integrating Oracle TDE with Fortanix DSM enables customer-managed, centrally controlled encryption keys, enforcing strict separation of data and keys in alignment with modern security and compliance requirements.

This integration provides transparent encryption for tablespaces and columns without requiring application changes, while delivering a strong compliance posture, centralized key lifecycle management, and enhanced security controls across the Exadata infrastructure.

This integration also includes the following scenarios:

Migrating TDE keys from local wallet to Hardware Security Modules (HSM).
Backup and recovery.
Pluggable Database (PDB) cloning.

2.0 Product Tested Version

The following product versions were tested:

Fortanix DSM version 5.4.2899
Fortanix PKCS#11 library version 5.1.2830
Oracle Database version 19.18.0.0.0

3.0 Prerequisites

The following are the prerequisites:

Oracle Database on ExaCC is configured with a local TDE wallet.
Fortanix DSM is accessible.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://amer.smartkey.io. On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed  here  based on the application region.

For more information on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.
Figure 2: Add groups
On the Adding new group page, do the following:
1. Title: Enter a title for your group.
2. Description (optional): Enter a short description of the group.
Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.
Figure 4: Add application
On the Adding new app page, enter the following details:
1. App name: Enter the name for your application.
2. ADD DESCRIPTION (optional): Enter a short description of the application.
3. Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.
4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Groupfrom the list.
Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the App Password

Perform the following steps to copy the app password from the Fortanix DSM:

In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click VIEW API KEY DETAILS.
From the Credentials Details dialog box, click the USERNAME/PASSWORD tab and copy the Password of the app to use in Section 5.0: Migrating TDE Master Key from Local Wallet to Fortanix DSM.
Figure 6: Copy app password

5.0 Migrating TDE Master Key from Local Wallet to Fortanix DSM

Perform the following steps to migrate the TDE master key from the local wallet to Fortanix DSM:

Configure the Fortanix DSM PKCS#11 library and the pkcs11.conf file.
For detailed instructions, refer to Steps 3 through 7 in Section 3.0: Configure Oracle Database for Integration, in the Fortanix Data Security Manager with Oracle TDE guide.
If you are using an auto-login wallet, run the following command to move or rename the auto-login wallet file:
```
cd <wallet_root_path>/tde
 mv cwallet.sso cwallet.sso_backup
```
Run the following command to change the local wallet password to match the HSM wallet (DSM_APP_PASSWD):
```
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD
  IDENTIFIED BY "<software_wallet_passwd>"
  SET "<DSM_APP_PASSWD>"
  WITH BACKUP;
            
```
Where, DSM_APP_PASSWD is the password of the ExaCC app copied in Section 4.5 Copying the App Password.
Run the following command to configure the wallet method to use both FILE and HSM keystore:
```
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE";
```
Run the following command to stop and restart the database instance in MOUNT mode::
```
SHUTDOWN IMMEDIATE;
STARTUP MOUNT;      
```
NOTE
On ExaCC, all the tablespaces are encrypted by default. To open the database in READ WRITE mode, the wallet must be opened. At the MOUNT stage, the wallet for the Container Database (CDB) and each PDB must be opened first

Run the following command at CDB level to open both the HSM and local wallets and open the database:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
  IDENTIFIED BY "<DSM_APP_PASSWORD>";
ALTER DATABASE OPEN;

Run the following command to open the wallets for each PDB and then open the database:

ALTER SESSION SET CONTAINER=<PDB_NAME>;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
  IDENTIFIED BY "<DSM_APP_PASSWORD>";
ALTER DATABASE OPEN;

Run the following command at CDB to verify that both wallets are open for all containers:
```
SELECT * FROM V$ENCRYPTION_WALLET;
```

Run the following command to migrate the local TDE master key to Fortanix DSM:

ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
  IDENTIFIED BY "<DSM_APP_PASSWD>"
  MIGRATE USING "<DSM_APP_PASSWD>"
  WITH BACKUP USING 'LocalWallet1';

6.0 Configuring Auto-Login

An Auto-login wallet allows the TDE wallet to open automatically during database startup, eliminating the need for manual intervention after a restart. For this reason, it is strongly recommended to configure an auto-login TDE wallet for each database.

NOTE
If multiple databases are running on the same server, you can configure either a shared wallet for all databases or separate wallets for each database, depending on your security and operational requirements.

For more information on Oracle TDE and auto-login keystore, please see: https://docs.oracle.com/database/121/ASOAG/managing-keystore-and-tde-master-encryption-key.htm#ASOAG10434.

6.1 Auto-Login in Oracle 19c

This section describes how to configure auto-login for Oracle TDE in Oracle 19c when using an HSM-backed keystore (Fortanix DSM).

Perform the following steps:

Run the following command to verify whether the HSM key store is open:
You can check the status of the keystore by querying the STATUS column of the V$ENCRYPTION_WALLET view.
```
Select * from V$ENCRYPTION_WALLET
```

Run the following command to close the HSM keystore if it is open:

ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
  IDENTIFIED BY "<DSM_APP_PASSWORD>"
  CONTAINER = ALL;

Run the following command to change the keystore configuration to use a FILE-based wallet:
```
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE"
```
Run the following command to create a software keystore. This keystore stores the HSM wallet password to enable auto-login:
NOTE
Skip this step if the keystore already exists and you plan to reuse it.
```
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE
  '$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde'
  IDENTIFIED BY "<DSM_APP_PASSWORD>";
```

Run the following command to open the software keystore:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
  IDENTIFIED BY "<DSM_APP_PASSWORD>"
  CONTAINER = ALL;

Run the following command to add the Fortanix DSM application password as a secret to the software keystore. The Oracle-defined client name HSM_PASSWORD is used to store the HSM password as a secret:
```
ADMINISTER KEY MANAGEMENT ADD SECRET '"<DSM_APP_PASSWORD>"'
  FOR CLIENT 'HSM_PASSWORD'
  TO AUTO_LOGIN KEYSTORE
  '/u01/opt/oracle/product/wallet/tde';
```

Run the following command to close the software keystore:

ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
  IDENTIFIED BY "<DSM_APP_PASSWORD>";

Run the following command to set the keystore configuration to use HSM backed by auto-login:
```
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE"
```
For Oracle Real Application Clusters (RAC) databases, run the following command:
```
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=HSM|FILE"   Sid=’*’;
```
Shut down and restart the database to verify that auto-login is functioning correctly.
Run the following command to verify that the wallet is automatically opened after restart:
```
SELECT * FROM V$ENCRYPTION_WALLET;
```

This completes the auto-login configuration for Oracle 19c.

For Oracle RAC environments, copy the ewallet.p12 and cwallet.sso files to all RAC nodes at the following location:

$ORACLE_BASE/admin/$ORACLE_SID/wallet/tde

6.2 Backup and Recovery

For backup and restore steps for a TDE-enabled database, refer to Section 5.0: Backup and Restore for a TDE-Enabled Database, in the Using Fortanix Data Security Manager with Oracle TDE guide.

6.3 Pluggable Database Cloning

You can clone pluggable databases that are encrypted using encryption keys stored in Fortanix DSM. For more information, refer to Section 6.0: Cloning Pluggable Databases on an Encrypted Instance in the Using Fortanix Data Security Manager with Oracle TDE guide.