nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

(1)

nShield Modules

Integration Guide for Oracle Database 11g Release 2

Transparent Data Encryption

(2)

Version: 2.0

Date: 01 November 2013

Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which it is supplied.

Words and logos marked with ® or ™ are trademarks of Thales e-Security Limited or its affiliates in the EU and other countries.

Information in this document is subject to change without notice.

Thales e-Security Limited makes no warranty of any kind with regard to this information,

including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.

(3)

Contents

Chapter 1: Introduction

Oracle Database 11g Release 2 TDE transparently encrypts data that is stored in the Oracle database, without requiring any changes to the application that runs on top of the database. It supports both TDE tablespace encryption and TDE column encryption. The HSM secures the unified TDE master encryption key, which is used to encrypt and decrypt the tablespace keys for

encrypted tablespaces, and table keys for encrypted application table columns. The HSM is used in place of the Oracle Wallet to provide a higher level of security assurance, including:

l Centralized storage and management of the master encryption key(s). l Full life cycle management of the master encryption key(s).

l Highest level of security assurance, the keys never leave the HSM as plain text. l FIPS 140-2 level 3 validated hardware.

l Failover support.

Depending on your current Oracle setup, you can use this document to either:

l Create and start using a new HSM-protected wallet (if you are not using an Oracle Wallet). l Migrate from an existing Oracle Wallet to an HSM-protected wallet.

The Oracle Wallet can be the default database wallet shared with the other components of the Oracle database or a separate wallet specifically used by TDE. When using Oracle TDE, Oracle recommends that you use a separate wallet to store the master encryption key. See the Oracle documentation for more information.

Product configuration

The integration between the HSM and TDE uses the PKCS #11 cryptographic API. The integration has been successfully tested in, and is only supported for, the following configurations:

Operating system Thales nCipher software version Oracle Database version nShield Solo support netHSM support nShield Connect support

Red Hat Enterprise Linux 6 11.50 11.2.0.2.0 Yes – Yes Solaris 10 for SPARC

systems 11.50 11.2.0.2.0 Yes – Yes Red Hat Enterprise Linux 5 11.50 11.2.0.2.0 Yes – Yes Red Hat Enterprise Linux 5 11.40 11.2.0.1.0 Yes Yes Yes Solaris 10 for SPARC

systems 11.40 11.2.0.1.0 Yes Yes Yes IBM AIX 5.3 11.40 11.2.0.1.0 Yes Yes Yes IBM AIX 6.1 11.40 11.2.0.1.0 Yes Yes Yes

Additional documentation produced to support your Thales nCipher product can be found in the document directory of the CD-ROM or DVD-ROM for that product.

Note: Throughout this guide, the term HSM refers to nShield Solo modules, netHSM, and nShield Connect products. (nShield Solo products were formerly known as nShield.)

(5)

Chapter 1: Introduction

Supported Thales nShield functionality

Key Generation Yes 1-of-N Operator Card

Set Yes Strict FIPS Support Yes Key Management Yes K-of-N Operator Card

Set — Load Sharing Yes Key Import — Softcards Yes Fail Over Yes Key Recovery Yes Module-only Key Yes

Requirements

Before installing the software, we recommend that you familiarize yourself with the Oracle Database 11g Release 2 TDE documentation and setup process, and that you have the Thales documentation available. We also recommend that you have an agreed organizational Certificate Practices Statement and a Security Policy/Procedure in place covering administration of the HSM.

In particular, these documents should specify the following aspects of HSM administration:

l The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and a

policy for managing these cards

l Whether the application keys are protected by the module or an Operator Card Set (OCS) l The number and quorum of Operator Cards in the OCS, and a policy for managing these

cards

l Whether the security world must comply with FIPS 140-2 Level 3 l Key attributes, such as the key size, persistence, and time out.

Note: K/N functionality is not currently supported. This means that you must create a 1/N OCS.

This integration requires Oracle Database 11g Release 2 (11.2.0.1.0 or 11.2.0.2.0) to be installed with the following Oracle patches applied:

Patch

9229896 for 11.2.0.1.0. 10098816 for 11.2.0.2.0.

Unique patch ID 12118360 for 11.2.0.1.0. 1123404322 for 11.2.0.2.0.

Bugs fixed 8909973: TDE cannot support multi-token HSMs. 9034189: TDE with HSM race condition.

This guide

This guide explains how to integrate Oracle Database 11g Release 2 Transparent Data Encryption (TDE) with a Thales nCipher Hardware Security Module (HSM). We have thoroughly tested the instructions in this document. They provide a straightforward integration process. There may be

(6)

More information

other untested ways to achieve interoperability. This document may not describe every step of the software setup process.

This guide assumes that you have read your HSM documentation and that you are familiar with the documentation and setup process for Oracle Database 11g Release 2 TDE.

More information

l For more information about OS support, contact your Oracle sales representative or Thales

Support.

l For more information about contacting Thales, see Addresses at the end of this guide. l For more information on administering an nShield module, see the User Guide. l Additional documentation produced to support your Thales nShield product is in the

document directory of the CD-ROM or DVD-ROM for that product.

l For more information about using Oracle Database 11g Release 2 TDE, see: http://download.oracle.com/docs/cd/E11882_

(7)

Chapter 2: Procedures

To integrate Oracle Database 11g Release 2 TDE with an HSM:

1. Install Oracle Database 11g Release 2 and apply patch. 2. Install the HSM.

3. Install the support software and configure the HSM.

4. Configure Oracle Database 11g Release 2 TDE to use the HSM.

All these procedures are described in the following sections.

Installing Oracle Database 11g Release 2

To install Oracle Database 11g Release 2:

1. Download and unzip the appropriate Oracle distribution for your operating system.

2. Set environment variables ORACLE_BASE, ORACLE_HOME, PATH, TNS_ADMIN and ORACLE_SID according to your environment, for example:

ORACLE_SID=<database_name>; export ORACLE_SID; ORACLE_BASE=/home/oracle/app; export ORACLE_BASE;

ORACLE_HOME=$ORACLE_BASE/product/11.2.0/dbhome_1; export ORACLE_HOME; PATH=$PATH:$ORACLE_HOME/bin; export PATH;

TNS_ADMIN=$ORACLE_HOME/network/admin; export TNS_ADMIN;

Note: Ensure that ORACLE_SID is at least eight alphanumeric characters long.

3. Ensure that the prerequisite configuration is complete according to Oracle documentation at:

http://www.oracle.com/pls/db112/portal.portal_db?selected=11&frame=

4. Navigate to the installation folder and execute ./runInstaller to start the installation process and install the database software only.

5. Download and unzip patch 9229896 or 10098816 for the appropriate distribution and refer to the readme.txt file to use OPatch to install the patch. Run opatch lsinventory to verify the patch afterwards.

6. Run dbca to create a database and select the option to add the sample schemas on step 8 of the dbca wizard. When asked for the ORACLE_SID, use the one you specified in step 2. The sample schemas and user accounts are used to test TDE with an HSM.

Installing the HSM

Install the HSM using the instructions in the documentation for the HSM. We recommend that you install the HSM before configuring the nCipher software.

Installing the support software and configuring the

HSM

(8)

1. Install the latest version of the support software and create a security world as described in the User Guide for the HSM.

Note: We recommend that you uninstall any existing Thales nCipher software before

installing the new software.

2. Create or edit the cknfastrc file located in the /opt/nfast directory, and depending on how you want to protect the master encryption key, set one of the following environment

variables:

l OCS or softcard key protection:

CKNFAST_LOADSHARING=1

l Module-only key protection:

CKNFAST_FAKE_ACCELERATOR_LOGIN=1

For more information, see the PKCS #11 library environment variables in the User

Guide for the HSM.

3. Initialize a security world.

4. For OCS protection, create a 1 of N card set, following the instructions in the User Guide for the HSM.

Note: Ensure that your Operator Card or softcard pass phrase has a minimum of eight

alphanumeric characters. You must create a softcard for softcard protection; see the

User Guide for the HSM for more information.

Configuring Oracle Database 11g TDE to use the HSM

To configure Oracle Database 11g Release 2 TDE to use the HSM:

1. Copy the PKCS #11 library located at /opt/nfast/toolkits/pkcs11/libcknfast-64.so (or libcknfast.sodepending on your OS architecture) to one of the following locations:

Red Hat Enterprise Linux 5 (x86) /opt/oracle/extapi/32/hsm/libcknfast.so Solaris 10 SPARC (64-bit) /opt/oracle/extapi/64/hsm/libcknfast-64.so IBM AIX (PPC64) /opt/oracle/extapi/64/hsm/libcknfast-64.so

Ensure that the directory exists and that oracle:oinstall is the owner:group of the directory with read and write access.

2. Add the oracle user to group nfast. You can verify this addition by looking at the entry for the nfast group in /etc/group.

3. In the $TNS_ADMIN/sqlnet.ora file add or edit the following lines, depending on whether you are migrating from an Oracle Wallet:

Migrating from an Oracle Wallet

ENCRYPTION_WALLET_LOCATION =(SOURCE = (METHOD = HSM) (METHOD_DATA = (DIRECTORY = $ORACLE_

BASE/admin/$ORACLE_SID/wallet/)))

Not migrating ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD =

(9)

Configuring Oracle Database 11g TDE to use the HSM

4. Log into the database using the following commands:

l In the UNIX command shell:

sqlplus / as sysdba

l In sqlplus (at the SQL> prompt):

connect / as sysdba

5. Create the master encryption key inside the HSM using one of the following commands, depending on how you want to protect the key and whether you are migrating from an Oracle Wallet:

l OCS key protection:

alter system set encryption key identified by “OCS_pass_phrase|OCS_name” migrate using “wallet_password”;

Not migrating alter system set encryption key identified by

“OCS_pass_phrase|OCS_name”;

OCS key protection requires an OCS to be inserted into the module slot. You must specify |OCS_name after the pass phrase to identify a particular OCS in the security world. In the cknfastrc file, you must set CKNFAST_LOADSHARING=1.

l Softcard key protection:

alter system set encryption key identified by “softcard_pass_phrase|softcard_name” migrate using “wallet_password”;

Not migrating alter system set encryption key identified by

“softcard_pass_phrase|softcard_name”;

For softcard key protection, you must specify |softcard_name after the pass phrase to identify a particular softcard in the security world. In the cknfastrc file, you must set

CKNFAST_LOADSHARING=1.

alter system set encryption key identified by “module_pass_phrase” migrate using “wallet_password”;

Not migrating alter system set encryption key identified

by “module_pass_phrase”;

l Module-only key protection accepts any given pass phrase. In the cknfastrc file, you

must set CKNFAST_FAKE_ACCELERATOR_LOGIN=1.

The pass phrase must be at least eight alphanumeric characters long. The wallet_password is the password for the Oracle Wallet.

6. To verify that the master encryption key has been created, run /opt/nfast/bin/cklist. You should see the following PKCS #11 keys:

(10)

Migrating from an Oracle Software

Wallet ORACLE.TDE.HSM.MK.key_hash

Not migrating

ORACLE.TDE.HSM.MK.key_hash ORACLE.TSE.HSM.MK.key_hash

7. If you migrated from an Oracle Software Wallet:

l In the UNIX command shell, use an orapki command similar to the following command

to alter the Oracle Wallet pass phrase to match the new pass phrase:

orapki wallet change_pwd -wallet

"/home/oracle/app/admin/your_test_database_name/wallet/ ewallet.p12"

-oldpwd "wallet_password" –newpwd "OCS_pass_phrase|OCS_name"

This example is for OCS key protection. For softcard key protection, use softcard_

pass_phrase|softcard_name. For module-only key protection, use module_pass_ phrase.

l Navigate to the Oracle Wallet ewallet.p12 and rename it to ewallet.p12.old. This

stops Transparent Data Encryption opening the software wallet. It is important that you keep this Oracle Wallet.

8. To use tablespace encryption and column encryption using the HSM, we recommend that you first create an encrypted tablespace using the following command and then proceed with column-level encryption:

CREATE TABLESPACE securespace1

DATAFILE '$ORACLE_BASE/oradata/$ORACLE_SID/secure01.dbf' SIZE 10M

ENCRYPTION using ‘AES256’ DEFAULT STORAGE(ENCRYPT);

9. Create a table inside the tablespace by using the command:

CREATE TABLE customer_payment_info (first_name VARCHAR2(11),

last_name VARCHAR2(10), order_number NUMBER(5),

credit_card_number VARCHAR2(16),

active_card VARCHAR2(3))TABLESPACE securespace1;

10. Insert values into the table by using commands similar to the following example commands:

INSERT INTO customer_payment_info VALUES ('Mike', 'Hellas', 10001, '544695 9708812985','YES');

INSERT INTO customer_payment_info VALUES ('Peter', 'Burton', 10002, '51223 58046082560','YES');

INSERT INTO customer_payment_info VALUES ('Mary', 'Banker', 10003, '559596 8943757920','YES');

INSERT INTO customer_payment_info VALUES ('Holly', 'Mayers', 10004, '49298 89576357400','YES');

(11)

Configuring Oracle Database 11g TDE to use the HSM

11. Check the encrypted tablespace by using the command:

select tablespace_name, encrypted from dba_tablespaces;

12. To list the values in the encrypted tablespace in plain text, use the command:

select * from customer_payment_info;

13. Encrypt the credit_limit column of the CUSTOMERS table, which is owned by the user OE, using the command:

alter table oe.customers modify (credit_limit encrypt);

14. To list the values in the encrypted column in plain text, use the command:

select credit_limit from oe.customers where rownum <15;

15. To list the encrypted columns in your database, use the command:

select * from dba_encrypted_columns;

16. To list information about the wallet, use the command:

select * from v$encryption_wallet;

17. To rotate the TDE master encryption key, use the command:

alter system set encryption key identified by “pass_phrase”;

This creates another ORACLE.TDE.HSM.MK.key_hash master encryption key in the

/opt/nfast/kmdata/local directory, which you can see by running /opt/nfast/bin/cklist.

Note: The pass_phrase is the pass phrase that you used when creating the master

encryption key in step 5. The tablespace encryption key cannot be rotated; a work around is to move the data into a new encrypted tablespace.

18. Close the wallet and exit sqlplus, by using the commands:

alter system set encryption wallet close identified by “pass_phrase”; exit

(12)

19. Open the wallet by logging into the database and using the following command:

l OCS key protection:

alter system set encryption wallet open identified by “OCS_pass_phras e|OCS_name”;

l Softcard key protection:

alter system set encryption wallet open identified by “softcard_pass_phrase|softcard_name”;

alter system set encryption wallet open identified by “module_pass_ph rase”;

(13)

Chapter 3: Troubleshooting

The following table provides troubleshooting guidelines.

Note: Supported versions of Oracle 11g include only v11.2.0.2.0 and v11.2.0.1.0.

Error message Resolution

ORA-28376: cannot find PKCS11 library

Check the library path is set correctly, for example:

/opt/oracle/extapi/64/hsm/libcknfast-64.so

Ensure that oracle:oinstall is the

owner:group of this directory, with read and write access.

ORA-28353: failed to open wallet

Ensure that the HSM wallet pass phrase is correct.

Ensure that if OCS/softcard key protection is used, the name and pass phrase are correct and are separated by a |, for

example:softcard_pass_

phrase|softcard_name ORA-00600: internal error

code, arguments: [kzthsmgmk: C_

GenerateKey], [6], [],[], [], [], [], []

Ensure that you have added user oracle to group nfast. In some cases you may have to re-login with the oracle user for this to take effect.

ORA-00600: internal error code, arguments:

[kzthsmgmk: C_ GenerateKey],

[2147483872], [], [], [], [], [], [], [], [], [], []

Ensure that if a strict FIPS 140-2 level 3 security world is in use, an OCS is inserted into the HSM slot when creating the master encryption key.

(14)

Addresses

Americas

900 South Pine Island Road, Suite 710, Plantation, Florida 33324, USA

Tel: +1 888 744 4976 or + 1 954 888 6200

[email protected]

Europe, Middle East, Africa

Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK

Tel: + 44 (0)1844 201800

[email protected]

Asia Pacific

Units 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRC

Tel: + 852 2815 8633

[email protected]

Internet addresses

Web site: http://www.thales-esecurity.com/

Support: http://www.thales-esecurity.com/support-landing-page

Online documentation: http://www.thales-esecurity.com/knowledge-base