By

 

Short summary on Oracle Transparent Data Encryption


Transparent Data Encyption features:

  • Encrypts columns or entire application data table spaces.
  • Protects the database files on disk and on backup of databases.
  • Transparent to application no changes required.

 

Below action plans are in brief:

  • Perform cold backup
  • Check the table space size.
  • Apply patch 23315889 ( one of patch)
  • $ mkdir -p /APPSOL/appsol/admin/TDE/APPSOL
  • SQL> select * from v$encryption_wallet;
  • update sqlnet.ora file.
ENCRYPTION_WALLET_LOCATION=
 (SOURCE= (METHOD = FILE)
      (METHOD_DATA=
         (DIRECTORY=/APPSOL/appsol/admin/TDE/APPSOL)
      )
 SQL> alter system set encryption key identified by "*******";
  $ ls /APPSOL/appsol/admin/TDE/APPSOL
   Restart DB in mount stage.
   SQL> select TABLESPACE_NAME,ENCRYPTED,COMPRESS_FOR from   DBA_TABLESPACES not in ('SYSTEM','SYSAUX','TEMP','UNDOTBS1');
  Restart DB.
 SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "*******";
 SQL>@tablespace_offline.sql

Create a script called tbsp_offline.sql script to bring table spaces other than system,sysaux,temp and undo offline;

$ sqlplus "/as sysdba"
SQL> spool tbsp_offline.sql
SQL> select 'alter tablespace ' ||tablespace_name||  ' offline;' from dab_tablespaces where tablespace_name not in ('SYSTEM','SYSAUX','TEMP','UNDOTBS1');
SQL> exit
  alter tablespace USERS offline;
  alter tablespace APPSOLD offline;
  alter tablespace APPSOLX offline;
  alter tablespace APPSOLTMPD offline;

Encrypt the database as below:

SQL> @tablespace_encrypt;
encrypt datafile.
 $ sqlplus / as sysdba
SQL> set heading off
SQL> set linesize 150
SQL> set datafile_encrypt.sql
SQL> select 'alter database datafile ' ' ' || file_name || ' ' ' encrypt;' from dab_data_files where tablespace_name not in ('SYSTEM','SYSAUX','TEMP','UNDOTBS1','TOOLS');
SQL> exit;
Now edit the datafile_encrypt.sql script to remove all lines other than alter database commands.
alter database datafile '/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/users01.dbf' encrypt;
alter database datafile '/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsol1.dbf' encrypt;
alter database datafile '/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsoltmp01.dbf' encrypt;
alter database datafile '/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsolx01.dbf' encrypt;
alter database datafile '/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsol02.dbf' encrypt;
alter database datafile
'/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsol03.dbf' encrypt;
alter database datafile '/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsol04.dbf' encrypt;
alter database datafile
'/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsol05.dbf' encrypt;
alter database datafile
'/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsol06.dbf' encrypt;
alter database datafile
'/APPSOL/appsol/oradata/oradat_APPSOL/APPSOL/datafile/appsol07.dbf' encrypt;

Now change tablespace online mode.

SQL> @tablespace_online.sql
alter tablespace USERS online;
  alter tablespace APPSOLD online;
  alter tablespace APPSOLX online;
   alter tablespace APPSOLTMPD online;
SQL> select * from v$instance;
SQL> select * from table_name rownum <5;
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "********";
SQL> select * from v$encryption_wallet;


Check the status of table space encryption by connecting to sqlplus /as sysdba and running the query shown;

$ sqlplus /as sysdba
SQL> select tablespace_name,encrypted from dab_tablespaces;
$ sqlplus /as sysdba
$ administer key management create AUTO_LOGIN keystone from keystone "/APPSOL/appsol/12102/admin/TDE/APPSOL" identified by "*****";
Bounce Database
Backup Database.

Comments

Post a Comment

Popular posts from this blog

How to drop index and before dropping it how to get the DDL.

By
  Oracle DROP INDEX statement DROP INDEX [schema_name.]index_name; DECLARE index_count INTEGER; BEGIN SELECT COUNT(*) INTO index_count FROM USER_INDEXES WHERE INDEX_NAME = 'index_name' ; IF index_count > 0 THEN EXECUTE IMMEDIATE 'DROP INDEX index_name' ; END IF; END; / In case want to check whether index exists and then delete it. If try to drop a non-existing, you will get the following error: SQL Error : ORA -01418 : specified index does not exist In SQLplus, set these before running the commands set long 100000 set longchunksize 100000 select DBMS_METADATA.GET_DDL( 'INDEX' , 'index_name') from all_indexes where owner in ( USER , 'USER_OTHER_THAN_LOGGED_IN_USER' ); Use below script to fetch metadata other information. SELECT DBMS_METADATA,GET_GRANTED_DDL('SYSTEM_GRANT','SSO******') from dual;
Read more

How to set up the Oracle Wallets in Oracle Database 19C

By
  The Oracle Wallet is a container or repository that stores authentication and credentials such as certificates, certificate requests, and private keys., By using this we can connect to database without providing the schema name & password, Password will be connected by using the TNS ALIES name & hence the schema are encrypted & stored in the oracle wallets. Let us configure the schema password by using the wallets. Create a directory to store the wallets. Create a directory to store the password $ mkdir -p /u01/app/wallets Create a wallet & provide the wallet password. $ mkstore -wrl /u01/app/wallets/ -create Enter password: ********* Enter password again: ******** $ ll total 8 -rw-------. 1 oracle oinstall 194 Nov 1 14:38 cwallet.sso -rw-------. 1 oracle oinstall 0 Nov 1 14:38 cwallet.sso.lck -rw-------. 1 oracle oinstall 149 Nov 1 14:38 ewallet.p12 -rw-------. 1 oracle oinstall 0 Nov 1 14:38 ewallet.p12.lck Check the status of listener $lsnrctl status listener_n...
Read more

PRVG-11250 : The check "RPM Package Manager database" was not performed because

By
Following message reported from cluvfy while performing pre-requisite for Clusterware Installation:  Verifying RPM Package Manager database ...INFORMATION PRVG-11250 : The check "RPM Package Manager database" was not performed because it needs 'root' user privileges. SOLUTION Execute runcluvfy manually with "-method root" option and enter root password when prompted : Example: $/runcluvfy.sh stage -pre crsinst -n <HOSTNAME1>,<HOSTNAME2> -method root Enter "ROOT" password: For reference metalink doc id :  2548970.1
Read more

ORA-00257:archiver error, connect internal only until freed

By
  Issue: Application log shows below error and users are unable to connect to the database. 0RA-00257:archiver error, connect internal only until freed (OR) 0RA-00257:archiver error, connect internal only until freed ORA-16020: less destinations available than specified by LOG_ARCHIVE_MIN_SUCCEED_DEST Fix: 1) Check if there are any errors for the archive destination(s). Make sure that the number of VALID archive destinations is greater than or equal to the value specified by LOG_ARCHIVE_MIN_SUCCEED_DEST initialization parameter. set pages 1000 col dest_name for a30 col destination for a60 SELECT dest_id, dest_name, binding, status, destination, error FROM v$archive_dest; SHOW PARAMETER log_archive_min_succeed_dest 2) If space is full in one or more of the archive destinations (or if destination is not available), take any of the following steps: 2.a) Manually move the archives to another location and delete them from archive destination.   (OR) 2.b) Change the archive des...
Read more

Linux OL7/RHEL7: PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm

By
  This is due to below bugs: OL7 -  Unpublished Bug 21441387- 12.2/MAIN/OL7.1: CVU REPORTS /DEV/SHM NOT MOUNTED WHEN IT IS MOUNTED  21441387.8 RHEL 7 - Unpublished Bug 25907259 : RHEL7.2: CVU REPORTS /DEV/SHM NOT MOUNTED WHEN IT IS MOUNTED  25907259.8 As a work-around in OL7: In OL7, the /dev/shm is not mounted in /etc/fstab on a fresh system, it is done in: [root@testc140 u02]# ll /usr/lib/dracut/modules.d/99base/init.sh -rwxr-xr-x. 1 root root 11379 Mar 26 10:14 vi /usr/lib/dracut/modules.d/99base/init.sh and comment the below lines 62 if ! ismounted /dev/shm; then 63 mkdir -m 0755 /dev/shm 64 mount -t tmpfs -o mode=1777,nosuid,nodev,strictatime tmpfs /dev/shm >/dev/null 65 fi so, this validation is not really valid for OL7.    We can also safely ignore this message. For reference metalink id: -  Doc ID 2065603.1
Read more

SKIP DNS RESLOV.CONF CHECK DURING RAC CONFIGURATION

By
 shsebs7idb1: PRVG-2064 : There are no configured name servers in the file              '/etc/resolv.conf' on the nodes "shsebs7idb1" Solution: [root@shsebs7idb2 ~]# ls -ltr /etc/resolv.conf -rw-r--r--. 1 root root 78 Jul  3 11:02 /etc/resolv.conf [root@shsebs7idb2 ~]# mv /etc/resolv.conf /etc/resolv.conf.sid Rename resolv.conf to resolv.conf.sid for example and re run the installation again . It  worked for me
Read more

Verifying Daemon “Avahi-Daemon” Not Configured And Running …FAILED (PRVG-1360)

By
  Execute "/tmp/CVU_19.0.0.0.0_grid/runfixup.sh" as root user on nodes "shsebs7idb1" to perform the fix up operations manually Press ENTER key to continue after execution of "/tmp/CVU_19.0.0.0.0_grid/runfixup.sh" has completed on nodes "shsebs7idb1" Fix: Daemon "avahi-daemon" not configured and running   Node Name                             Status   ------------------------------------  ------------------------   shsebs7idb1                           failed ERROR: shsebs7idb1: PRVG-9023 : Manual fix up command "/tmp/CVU_19.0.0.0.0_grid/runfixup.sh" was not issued by root user on node "shsebs7idb1" Result: "Daemon "avahi-daemon" not configured and running" could not be fixed on nodes "shsebs7idb1" SOLUTION: To fix this error, stop and disable avahi-daemon service. 1. Check avahi-daemon status: [root@shsebs7idb1 ~]# ls -...
Read more

How to write to a CSV file using Oracle SQL*Plus

By
  SPOOL command  The  SPOOL  command is  unavailable  in the browser-based SQL*Plus version,  iSQL*Plus . To generate files while using iSQL*Plus, change the necessary preference settings to directly output to a file. This is accomplished using the  SPOOL  statement. While  SPOOL  is  active , SQL*PLus will store the output of any query to the specified file. Therefore, the next command to enter is  spool : spool filepath Skipping ahead slightly,  after  your query is inserted, you also need to halt  spool  so the file output is closed by using the  spool off  command: spool off Insert the query  The last step after the settings are modified and  spool  is running is to insert your query. For our simple example, we’re outputting all books from our  books  table. SELECT   title,   author FROM   authors; Don’t forget the semi...
Read more

Change Password in an Oracle Database

By
 Once connected, ALTER USER command, specifying the new password. ALTER USER myuser IDENTIFIED BY MyNewPassword; To use special characters, remember to enclose the password in double quotes. ALTER USER myuser IDENTIFIED BY "MyNewPassword#"; SQL*Plus and SQLcl Use the PASSWORD command from the SQL*Plus and SQLcl utilities. It will be prompted for your current password and the new password. SQL> password Changing password for MYUSER Old password: ******** New password: ******** Retype new password: ******** Password changed SQL> SQL Developer From SQL Developer Right-click on the connection. Select the "Reset Password..." option from the popup menu. In the subsequent dialog, enter the current password and the new password with confirmation. Click the OK button. TOAD For TOAD do the following. select "Session > Change Password". In the subsequent dialog, enter the current password and the new password with verification. Click the OK button.
Read more
By
Can I flush the Undo tablespace by any chance... ? You don't need to flush any thing from the undo tablespace. It will reuse the undo data automatically. You can create a new undo tablespace and make it active for your database. Later on drop your old undo tablespace. UNDO_RETENTION time undo tablespace is filled and any query fails, then if another query is going to do a DML and tries to use UNDO segments then, I think that will also fail because of unavailability of UNDO SEGMENTS.. > create undo tablespace undotbl_new datafile size 1m; Tablespace created. > alter system set undo_tablespace = undotbl_new scope=both; System altered. > drop tablespace undotbs; Tablespace dropped.
Read more