Integration Guide

Oracle Database 11g Transparent Data

Encryption and nCipher Modules
• Red Hat Enterprise Linux 5
• Solaris 10 SPARC
• IBM AIX 5.3

These installation instructions are intended to provide step-by-step instructions for installing nCipher software
with third-party software. These instructions do not cover all situations and are intended as a supplement to the
nCipher documentation provided with nCipher products.
Disclaimer: nCipher Corporation Ltd disclaims all liabilities regarding third-party products and only provides
warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. nCipher is a
registered trademark of nCipher Corporation Limited. Any other trademarks referenced in this document are
the property of the respective trademark owners. © Copyright 2008 nCipher Corporation Ltd, Cambridge,
United Kingdom.

Document version 1.3

23-July-2008
 Oracle Database 11g Transparent Data Encryption and nCipher Modules

Contents
1. INTRODUCTION.................................................................................................................. 3
2. OVERVIEW ........................................................................................................................... 3
3. TESTING ................................................................................................................................ 3
4. SUPPORTED NCIPHER FUNCTIONALITY ................................................................... 3
5. REQUIREMENTS ................................................................................................................. 4
6. PROCEDURES ...................................................................................................................... 4
7. INSTALLING AND CONFIGURING THE NCIPHER MODULE................................. 4
8. INSTALLING ORACLE DATABASE 11G........................................................................ 5
9. CONFIGURING AND TESTING TRANSPARENT DATA ENCRYPTION (TDE) ..... 5
10. CONFIGURING ORACLE DATABASE 11G TDE WITH NCIPHER PKCS #11...... 6
11. TROUBLESHOOTING ...................................................................................................... 8
12. FURTHER INFORMATION.............................................................................................. 9

Document Version 1.3, 23-July-2008 Page 2

 Oracle Database 11g Transparent Data Encryption and nCipher Modules

1. Introduction
This guide explains how to integrate an nCipher module (nShield or a netHSM) with the
Oracle Database 11g Transparent Data Encryption (TDE). It assumes that you have read the
nShield QuickStart Guide and the netHSM QuickStart Guide and are familiar with the
documentation and setup process for the Oracle Database 11g TDE.
Note: All nCipher documentation is available at: http://www.ncipher.com/documentation.

2. Overview
Oracle Database 11g TDE transparently encrypts the data stored in or retrieved from the Oracle
database. It supports both table space and column-level encryption in the database.
The nCipher module secures the database server master encryption key used to encrypt and
decrypt the keys used in column-level Transparent Data Encryption.
The nCipher module is used in place of the Oracle Wallet to provide a higher level of security
assurance. The integration also provides the following key benefits:
• The keys never leave the module as plain text.
• The life cycle of the database master encryption key is managed completely.
• The hardware is validated to the FIPS 140 standards.
• Fail-over support is available.
The industry standard PKCS #11 API is used to integrate the Oracle Database 11g TDE and
the nCipher module.

3. Testing
The integration between the nCipher module and the Oracle Database 11g TDE has been tested
for the following combinations:

Oracle
nCipher PCI Ethernet
Operating System Database
Version Support Support
Version

Red Hat Enterprise

11.00 11.1.0.6.0 Yes Yes
Linux 5

Solaris 10 SPARC 11.00 11.1.0.6.0 Yes Yes

IBM AIX 5.3 11.10 11.1.0.6.0 Yes Yes

4. Supported nCipher functionality

You can access the following nCipher functionality when you integrate an nCipher module
with the Oracle Database 11g TDE:

Softcards
Key management
Strict FIPS support

Document Version 1.3, 23-July-2008 Page 3

 Oracle Database 11g Transparent Data Encryption and nCipher Modules

Key recovery  Module-only key  K of N card set

Key generation  Key import
Fail-over
 Fall-back  Load-balancing  Preload support

5. Requirements
Before you begin the integration process:
• Read the nShield QuickStart Guide or the netHSM QuickStart Guide as appropriate.
• Familiarize yourself with the documentation and setup process for the Oracle Database
11g TDE.
Before running the setup program, you need to know:
• The number and quorum of Administrator Cards in the Administrator Card Set (ACS) and
the policy for managing these cards.
• Whether the application keys are protected by the module or an Operator Card Set (OCS)
with pass phrase.
• The number and quorum of Operator Cards in the OCS and the policy for managing these
cards.
• Whether the security world is compliant with FIPS 140-2 at level 3.
For more information on administering an nCipher module, see the nShield User Guide or the
netHSM User Guide as appropriate.

6. Procedures
To integrate an nCipher module with Oracle Database 11g TDE, you need to:
1. install and configure and nCipher module
2. install Oracle Database 11g
3. configure Transparent Data Encryption (TDE)
4. configure Oracle 11g Transparent Data Encryption (TDE) with the PKCS #11 library

7. Installing and configuring the nCipher module

1. Install the nCipher module as described in the Hardware Installation Guide.
2. Install the software and create the security world as described in the nShield User Guide or
the netHSM User Guide as appropriate.
Note: nCipher recommends uninstalling any existing nCipher software before installing
the new software.
3. Install the latest version of the nCipher support software with the PKCS #11 components
selected. Follow the instructions in the nCipher documentation.
4. Set the following environment variables by creating or editing the cknfastrc file located in
the /opt/nfast directory:

Document Version 1.3, 23-July-2008 Page 4

 Oracle Database 11g Transparent Data Encryption and nCipher Modules

• CKNFAST_LOADSHARING=1
• CKNFAST_NO_ACCELERATOR_SLOTS=1
5. Initialize a security world and create a 1 of N Operator Card Set. Ensure that your
Operator Card password has a minimum of eight alphanumeric characters.
For more information, see the nCipher PKCS #11 library environment variables in the nShield
User Guide or the netHSM User Guide as appropriate.

8. Installing Oracle Database 11g

To install Oracle Database 11g on Red Hat Enterprise Linux 5, Solaris 10 SPARC and IBM
AIX 5.3:
1. Download, unzip, and extract the appropriate Oracle distribution for Linux, Solaris 10
SPARC and IBM AIX 5.3.
2. Run ./runInstaller to start the installation process. Install the Enterprise Edition and select
to add the demo database. The demo tables and user accounts are used to test Transparent
Data Encryption with and without an nCipher module.
3. Using an Oracle SID of eight alphanumeric characters, ensure that the prerequisite
configuration is complete.
For more information on installing the Oracle Database 11g on Red Hat Enterprise Linux 5,
SUN Solaris 10 SPARC or IBM AIX 5.3, see the Oracle Database 11g documentation,
available at: http://www.oracle.com.

9. Configuring and testing Transparent Data Encryption

(TDE)
To start using Transparent Data Encryption (TDE), create a wallet and set a master key. The
wallet can be the default database wallet shared with the other components of the Oracle
database or a separate wallet specifically used by TDE. Oracle recommends that you use a
separate wallet to store the master encryption key.
To verify that the wallet is working:
where you have to add the lines into the sqlnet.ora file. There is just an open bracket that
should be placed before the word ‘DIRECTORY’ so it looks like:
1. Add the following lines to the $TNS_ADMIN/sqlnet.ora – file:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = FILE) (METHOD_DATA =
(DIRECTORY = /opt/oracle/app/oracle/product/11.1.0/db_1/)))
2. Start the database:
$ sqlplus / as sysoper
SQL> startup
3. Connect to the database as system:
SQL> connect system/password

Document Version 1.3, 23-July-2008 Page 5

 Oracle Database 11g Transparent Data Encryption and nCipher Modules

Note: The password for system is defined during database installation.

4. Create an encryption wallet:
SQL> alter system set encryption key identified by
“wallet_password”;
Note: “Wallet_password” is the Oracle SID for the database you are using and must
consist of eight alphanumeric characters. The double quotes are mandatory.
5. Encrypt the credit_limit column of the CUSTOMERS table, which is owned by the user
OE:
SQL> alter table oe.customers modify (credit_limit encrypt);
6. The following command returns the values listed in the encrypted column in plain text:
SQL> select credit_limit from oe.customers where rownum <15;
Transparent Data Encryption decrypts the values automatically.
7. List the encrypted columns in your database:
SQL> select * from dba_encrypted_columns;
8. This view contains information about the wallet itself:
SQL> select * from v$encryption_wallet;
9. Create an encrypted tablespace:
SQL> CREATE TABLESPACE securespace
DATAFILE '/opt/oracle/oradata/orcl/secure01.dbf'
SIZE 10M
ENCRYPTION
DEFAULT STORAGE (ENCRYPT);
10. Close the wallet:
SQL> alter system set wallet close;
SQL> exit

10. Configuring Oracle Database 11g TDE with nCipher

PKCS #11
To demonstrate the integration with the nCipher module, set up the security world with at least
one Operator Card Set.
To test the Oracle Database 11g TDE with the nCipher module:
1. Copy the PKCS #11 library, located at /opt/nfast/toolkits/pkcs11/libcknfast.so, to
opt/oracle/extapi/32|64/hsm/ncipher/<version>/libapiname.ext.
• For Red Hat Enterprise Linux 5:
/opt/oracle/extapi/32/hsm/ncipher/1.58.21/libcknfast.so
• For Solaris 10 SPARC:
/opt/oracle/extapi/64/hsm/ncipher/1.58.21/libcknfast.so

Document Version 1.3, 23-July-2008 Page 6

 Oracle Database 11g Transparent Data Encryption and nCipher Modules

• For IBM AIX5.3:

/opt/oracle/extapi/64/hsm/ncipher/1.58.42/libcknfast-64.so
Note: Ensure that oracle:oinstall is the owner:group of these directories with read and
write access.
2. Add an Oracle user in the /etc/group:
nfast::100:oracle
3. Change your $TNS_ADMIN/sqlnet.ora – file:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = HSM)(METHOD_DATA =
(DIRECTORY = /opt/oracle/product/11.1.0/db_1/)))
Note: Ensure that the Method = HSM.
4. Log back into the database:
$ sqlplus system/password
5. Create a HSM wallet:
SQL> alter system set encryption key identified by “HSM_passphrase”
migrate using “wallet_password”
where:
• HSM_passphrase is the pass phrase of the Operator Card Set. The master key in the
nCipher module is not used by tablespace encryptions. It relies on the software wallet
created in section 8.0, step 4.
• wallet_password is the password for the software wallet created in section 9.
6. The next query returns the values listed in the encrypted column in plain text:
SQL> select credit_limit from oe.customers where rownum <15;
Transparent Data Encryption decrypts them automatically, now using the HSM master
key.
7. Close the wallet:
SQL> alter system set wallet close;
8. Start the Oracle Wallet Manager:
SQL> exit
cd /opt/oracle/app/oracle/product/11.1.0/db_1/bin
$ owm
9. Open the software-based wallet and click Change Password. Use the same string you
used for the HSM (“HSM:passphrase”) as the new password for the software-based
wallet.
10. Click Save, and then click Exit.
Note: “userID:password”, which is the pass phrase of your HSM, should consist of at
least eight alphanumeric characters. If not, change the pass phrase of the Operator Card
Set by using the cardpp –change command.

Document Version 1.3, 23-July-2008 Page 7

 Oracle Database 11g Transparent Data Encryption and nCipher Modules

11. Log back into the database:

$ sqlplus system/password
SQL> alter system set wallet open identified by “HSM:passphrase”
12. Create an encrypted tablespace using the software wallet:
SQL> CREATE TABLESPACE securespace2
DATAFILE '/opt/oracle/oradata/orcl/secure02.dbf'
SIZE 10M
ENCRYPTION
DEFAULT STORAGE(ENCRYPT);
13. Close the wallet:
SQL> alter system set wallet close;
14. Start the Oracle Wallet Manager:
SQL> exit
cd /opt/oracle/product/11.1.0/db_1/bin
$ owm
15. Open the software-based wallet, check the Auto-Open option and then click Save.
16. Click Exit.
17. Verify that an auto-open software wallet has been created in the
/opt/oracle/product/11.1.0/db_1/ directory. This directory contains two wallets, the
encryption wallet (“ewallet.p12”) and the auto-open wallet (“cwallet.sso”).
18. Rename the encryption wallet:
$ mv ewallet.p12 ewallet.p24
This stops Transparent Data Encryption from opening the encryption wallet.
19. Connect to the database and open the HSM wallet (the software is already open):
$ sqlplus system/password
SQL> alter system set wallet open identified by “HSM_passphrase”;
For more information, see the Oracle Database 11g TDE documentation available at:
http://download.oracle.com/docs/cd/B28359_01/network.111/b28530/asotrans.htm#g1011122.

11. Troubleshooting
The following table describes problems you might encounter when configuring an nCipher
module with Oracle 11g TDE.

Document Version 1.3, 23-July-2008 Page 8

 Oracle Database 11g Transparent Data Encryption and nCipher Modules

Problem Action/Solution

ORA-28376: cannot find PKCS11 Check the PKCS#11 library path and confirm
library that the lib path is correct.
For example, in Solaris 10 SPARC, the lib path
must be:
/opt/oracle/extapi/64/hsm/ncipher/1.58.21/libck
nfast.so.

ORA-28353: failed to open Ensure that the HSM wallet pass phrase is
wallet correct.

ORA-00600: internal error code, Ensure that you have added an Oracle user in
arguments: [kzthsmgmk: the /etc/group as follows:
C_GenerateKey], [6], [],[], [],
[], [], [] nfast::100:oracle

12. Further information

This guide forms one part of the information and support provided by nCipher. Additional
documentation produced to support your nCipher product can be found in the document
directory of the CD-ROM for that product.
All nCipher product documentation is available from the nCipher web site at
http://active.ncipher.com/documentation.

Contact details
nCipher Corporation nCipher Inc.
Cambridge, UK Boston Metro Region, USA

Jupiter House 92 Montvale Avenue, Suite 4500

Station Road Stoneham
Cambridge MA 02180
CB1 2JD USA
UK Tel: +1 (781) 994 4008
Tel: +44 (0) 1223 723666 Fax: +1 (781) 994 4001
Fax: +44 (0) 1223 723601
E-mail: support@ncipher.com
E-mail: support@ncipher.com

Web site: http://www.ncipher.com/

Online documentation: http://active.ncipher.com/documentation

Document Version 1.3, 23-July-2008 Page 9