搜索TDE配置的顺序
The search order for the TDE keystore depends on how you have set either the
instance initialization parameters, the sqlnet.ora parameters, or the environment
variables.
Oracle Database retrieves the keystore by searching in these locations, in the
following order:
1. The location set by the WALLET_ROOT instance initialization parameter, when the
KEYSTORE_CONFIGURATION attribute of the TDE_CONFIGURATION initialization
parameter is set to FILE. Oracle recommends that you use this parameter to
configure the keystore location.
2. If the KEYSTORE_CONFIGURATION attribute of the TDE_CONFIGURATION initialization
parameter is not set to FILE or WALLET_ROOT is not set, then the location specified
by the WALLET_LOCATION setting in the sqlnet.ora file.
3. If WALLET_ROOT and WALLET_LOCATION are not set, then the location specified by the
ENCRYPTION_WALLET_LOCATION parameter (now deprecated in favor of
WALLET_ROOT) in the sqlnet.ora file.
4. If none of these parameters are set, and if the ORACLE_BASE environment variable
is set, then the $ORACLE_BASE/admin/db_unique_name/wallet directory. If
ORACLE_BASE is not set, then $ORACLE_HOME/admin/db_unique_name/wallet.
配置TDE参数
SQL> alter system set wallet_root='/u01/log/main0618/admin/aug/tde_wallet' scope=spfile;
System altered.
srvctl stop database -d aug;
srvctl start database -d aug;
SQL> alter system set tde_configuration='keystore_configuration=file' scope=spfile;
System altered.
srvctl stop database -d aug;
srvctl start database -d aug;
SQL> show parameter wallet_root;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /u01/log/main0618/admin/aug/td
e_wallet
SQL> show parameter tde_configuration;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
tde_configuration string keystore_configuration=file
创建keystore
01:49:17 SQL> administer key management create keystore identified by "WelCome-123#";
keystore altered.
Elapsed: 00:00:00.22
open这个keystore
02:01:30 SQL> administer key management set keystore open identified by "WelCome-123#";
keystore altered.
Elapsed: 00:00:00.12
设置encryption key
02:03:41 SQL> administer key management set encryption key identified by "WelCome-123#" with backup container=all;
keystore altered.
Elapsed: 00:00:00.76
创造自动登录auto_login keystore
02:06:35 SQL> administer key management create auto_login keystore from keystore '+d001/dbca1/tde' identified by "WelCome-123#";
keystore altered.
Elapsed: 00:00:00.06
02:26:34 SQL> grant syskm to system;
Grant succeeded.
Elapsed: 00:00:00.20
02:26:40 SQL> connect system/dbca1@dbca1 as syskm
Connected.
02:26:49 SQL> alter database dictionary encrypt credentials;
Database dictionary altered.
Elapsed: 00:00:00.03