9 Using sqlnet.ora to Configure Transparent Data Encryption Keystores
If you do not want to use the WALLET_ROOT
parameter to configure keystores, then you can use the sqlnet.ora
file.
- About the Keystore Location in the sqlnet.ora File
If you have not set theWALLET_ROOT
parameter, then Oracle Database checks thesqlnet.ora
file for the directory location of the keystore. - Configuring the sqlnet.ora File for a Software Keystore Location
Use thesqlnet.ora
file to configure the keystore location for a regular file system, for multiple database access, and for use with Oracle Automatic Storage Management (ASM). - Example: Configuring a Software Keystore for a Regular File System
You can configure a software keystore for a regular file system. - Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
You can configure multiple databases to share thesqlnet.ora
file. - Example: Configuring a Software Keystore for Oracle Automatic Storage Management
You can configuresqlnet.ora
for an Automatic Storage Management (ASM) file system - Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
You can configuresqlnet.ora
for an Oracle Automatic Storage Management (ASM) disk group.
Parent topic: Using Transparent Data Encryption
About the Keystore Location in the sqlnet.ora File
If you have not set the WALLET_ROOT
parameter, then Oracle Database checks the sqlnet.ora
file for the directory location of the keystore.
This applies to whether the keystore is a software keystore, a hardware module security (HSM) keystore, or an Oracle Key Vault keystore. You must edit the sqlnet.ora
file to define a directory location for the keystore that you plan to create. Ensure that this directory exists beforehand. Preferably, this directory should be empty.
Note the following behavior when you must edit the sqlnet.ora
file in an Oracle Real Application Clusters (Oracle RAC) or a multitenant environment:
-
In an Oracle RAC environment: If you are using the
srvctl
utility and if you want to include environment variables in thesqlnet.ora
configuration file, then you must set these environment variables in both the operating system and thesrvctl
environment. Oracle recommends that you place the keystore on a shared file system, such as Oracle Automatic Storage Management (ASM) or NFS. -
In a multitenant environment: If the
sqlnet.ora
file is in the CDB root, then the keystore location will be set for the entire CDB environment. You can configure asqlnet.ora
at the PDB level if the PDBs are working in isolated mode.
In the sqlnet.ora
file, you must set the ENCRYPTION_WALLET_LOCATION
parameter to specify the keystore location. When determining which keystore to use, Oracle Database searches for the keystore location in the following places, in this order:
-
It attempts to use the keystore in the location specified by the parameter
ENCRYPTION_WALLET_LOCATION
in thesqlnet.ora
file. -
If the
ENCRYPTION_WALLET_LOCATION
parameter is not set, then it attempts to use the keystore in the location that is specified by the parameterWALLET_LOCATION
. -
If the
WALLET_LOCATION
parameter is also not set, then Oracle Database looks for a keystore at the default database location, which is$ORACLE_BASE
/admin/
DB_UNIQUE_NAME
/wallet
or$ORACLE_HOME
/admin/
DB_UNIQUE_NAME
/wallet
. (DB_UNIQUE_NAME
is the unique name of the database specified in the initialization parameter file.) When the keystore location is not set in thesqlnet.ora
file, then theV$ENCRYPTION_WALLET
view displays the default location. You can check the location and status of the keystore in theV$ENCRYPTION_WALLET
view.
By default, the sqlnet.ora
file is located in the $ORACLE_HOME
/dbs
directory or in the location set by the TNS_ADMIN
environment variable. Ensure that you have properly set the TNS_ADMIN
environment variable to point to the correct sqlnet.ora
file.
Related Topics
Configuring the sqlnet.ora File for a Software Keystore Location
Use the sqlnet.ora
file to configure the keystore location for a regular file system, for multiple database access, and for use with Oracle Automatic Storage Management (ASM).
-
To create a software keystore on a regular file system, use the following format when you edit the
sqlnet.ora
file:ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=path_to_keystore)))
If the path_to_keystore
will contain an environment variable, then set this variable in the environment where the database instance is started and before you start the database. If you are using the srvctl
utility to start the database, then set the environment variable in the srvctl
environment as well, using the following command:
srvctl setenv database -db database_name -env "environment_variable_name=environment_variable_value"
Example: Configuring a Software Keystore for a Regular File System
You can configure a software keystore for a regular file system.
The following example shows how to configure a software keystore location in the sqlnet.ora
file for a regular file system in which the database name is orcl
.
ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))
Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
You can configure multiple databases to share the sqlnet.ora
file.
The following example shows how to configure a software keystore location when multiple databases share the sqlnet.ora
file.
ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/etc/ORACLE/WALLETS/$ORACLE_SID/)))
Example: Configuring a Software Keystore for Oracle Automatic Storage Management
You can configure sqlnet.ora
for an Automatic Storage Management (ASM) file system
The following example shows how to configure a software keystore location in the sqlnet.ora
file for an ASM file system:
ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=+disk1/mydb/wallet)))
Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
You can configure sqlnet.ora
for an Oracle Automatic Storage Management (ASM) disk group.
The following format shows how to configure a software keystore if you want to create a software keystore location on an ASM disk group:
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=+ASM_file_path_of_the_diskgroup)))