Introduction

This guide describes how to integrate and use Entrust Web Services Option Pack (WSOP) with an Oracle database. The Oracle feature Transparent Data Encryption (TDE) provides data-at-rest encryption for sensitive information held by the Oracle database, while at the same time allowing authorized clients to use the database.

Oracle database software, and Entrust Web Services Option Pack (WSOP), can be independently installed on separate host servers. They can then be configured to interoperate through a single library interface. It is possible to support multiple database instances on the same WSOP server, while each database instance is restricted to access only its own encryption keys. Oracle cluster technology is also supported.

Integrated Oracle and Entrust technology has been tested to support Oracle TDE for tablespace encryption, or column encryption, or concurrently for both. Entrust nShield HSMs are certified to FIPS 140 (level 3) to deliver a high grade of security assurance and were used by the WSOP configuration during testing. Functionality includes protection of sensitive encryption keys and support for offload of encryption and key management operations.

Using this guide

This Integration Guide covers UNIX/Linux based systems. Any time the term HSM protection is used in this guide, it refers to the HSM being used in the configuration of the WSOP system used in the integration. It provides:

An overview of how the Oracle database software and Entrust WSOP software work together to enhance security.
Configuration and installation instructions.
Depending on your current Oracle setup, how to:
- Migrate encryption from an existing Oracle wallet or keystore to HSM protection.
- Begin using HSM protection immediately if no Oracle software wallet or keystore already exists.
Examples and advice on how the product may be used.
Troubleshooting advice.

It is assumed the reader has a good knowledge of Oracle database technology.

Assuming you already have your Oracle database installed, after installing and configuring the Entrust WSOP software with the Security World software and HSM, there is no other software required. However, some minor configuration changes will be needed.

This guide cannot anticipate all configuration requirements a customer may have. Examples shown in this guide are not exhaustive, and may not necessarily show the simplest or most efficient methods of achieving the required results. The examples should be used to guide integration of the Entrust WSOP with an Oracle database, and should be adapted to your own circumstances.

Entrust accepts no responsibility for loss of data, or services, incurred by use of examples, or any errors in this guide. For your own reassurance, it is recommended you thoroughly check your own solutions in safe test conditions before committing them to a production environment. If you require additional help in setting up your system, contact Entrust Support.

Entrust accepts no responsibility for information in this guide that is made obsolete by changes or upgrades to the Oracle product.

This guide assumes that you have read the WSOP, Security World and HSM documentation, and are familiar with the documentation and setup processes for Oracle database TDE.

Product configuration

Entrust has successfully tested WSOP integration with the in the following configurations:

Oracle Server

OS Version	Kernel	Oracle Version	WSOP Client Version
Red Hat Enterprise Linux release 9.4 (Plow)	Linux 5.14.0-427.16.1.el9_4.x86_64	Oracle Database 23ai 23.4.0.24.05	3.3 - wsop-p11-3.3.0-714-5306bc4 Client

OS Version

Kernel

Oracle Version

WSOP Client Version

Red Hat Enterprise Linux release 9.4 (Plow)

Linux 5.14.0-427.16.1.el9_4.x86_64

Oracle Database 23ai 23.4.0.24.05

3.3 - wsop-p11-3.3.0-714-5306bc4 Client

WSOP Server

OS Version	Kernel	Security World	WSOP Version
Red Hat Enterprise Linux release 8.10 (Ootpa)	Linux 4.18.0-513.24.1.el8_9.x86_64	13.4.5	3.3 wsop-p11-3.3.0-714-5306bc4

OS Version

Kernel

Security World

WSOP Version

Red Hat Enterprise Linux release 8.10 (Ootpa)

Linux 4.18.0-513.24.1.el8_9.x86_64

13.4.5

3.3 wsop-p11-3.3.0-714-5306bc4

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

WSOP currently only supports softcard protection, so OCS and module protection are not supported.

Oracle 23ai 23.4.0.24.05

HSM	Security World Software	Firmware	Image	Softcard	FIPS Level 3
Connect XC	13.4.5	12.50.11 (FIPS 140-2 certified)	12.80.4	✓
Connect XC	13.4.5	12.72.1 (FIPS 140-2 certified)	13.4.5	✓	✓
nShield 5C	13.4.5	13.2.2	13.4.5	✓	✓
nShield 5C	13.2.2	13.2.2	13.4.5	✓	✓

Conventions used in this document

Database connections

You must be a user with correct permissions to access a database, and also have the correct privileges to perform the required operations when connected to that database. Your system administrator should be able to create users and grant suitable permissions and privileges according to your organization’s security policies. Example 2

<database-user> is the user identity making the connection.
<database-identifier> is the database to make the connection to.

For the purpose of examples in this guide, the following database users and database identifiers should be sufficient.

This guide uses the FREE database container that comes installed with Oracle 23ai.

<database-user>. This guide will use one following users for connecting to databases:
- sysdba, Oracle’s standard sysdba user.
- system, Oracle’s standard system user.
  - C##TESTER, as a common user for container (FREE) and the PDBs it contains.
  - FREEPDB<k>TESTER, as a local user for a PDB<k> within container FREE.
    
    Where <k> is a distinguishing digit.
<database-identifier>. This guide will use one following database identifies during a connection:
- FREE, to connect to the $CDB$ROOT for the FREE container database.
- FREEPDB<k>, to connect to PDB<k> within FREE database.
For example:
CONNECT sysdba@FREE CONNECT C##TESTER@FREE CONNECT C##TESTER@FREEPDB1

The connection implies that you must alter a session if you are not already connected to the required container. For example:

Example 1:

CONNECT C##TESTER@FREE

This implies that, if you are not already connected to FREE, then alter the session:

ALTER SESSION SET CONTAINER = FREE$ROOT;
Example 2:

CONNECT FREEPDB<k>TESTER@FREEPDB<k>

This implies that, if you are not already connected to FREEPDB<k>, then alter the session:

ALTER SESSION SET CONTAINER = FREEPDB<k>;

Examples of sqlplus connection syntax for different users:

sqlplus / as sysdba
sqlplus / as sysdba@CDB1ROOT
sqlplus FREEPDB1TESTER/Tester@//localhost:1521/FREEPDB1.interop.com

Key migration and legacy keys

Encryption master keys may be migrated from an existing Oracle keystore to Entrust WSOP, or vice versa. In this case, and as used in this document, the term 'key migration' means that the responsibility for holding the master keys is being migrated. The encryption keys themselves are not copied (or imported) between a software keystore and WSOP. Fresh master key(s) are created within the software keystore or WSOP that is to become the new key protector as a result of the migration. Subsidiary keys that are being protected are re-encrypted using the fresh master key(s). Thereafter, any new master keys are created in the current key protector you have migrated to.

During rekey, the previous master keys, or legacy keys, remain in the software keystore or WSOP where they were created. After you have performed a key migration, you can retain access to the legacy keys in the software keystore or WSOP you have migrated away from by making its passphrase the same as the current key protector’s. This allows both to be open at the same time allowing access to encryption keys they both contain. If you do not do this, you will only be able to access keys in the current key protector. If you are using both a software keystore and WSOP at the same time, whichever is the current key protector is called the primary.

Oracle uses the HSM term when the key is not protected by the software keystore. This integration uses WSOP to play the role of the HSM in the oracle setup. WSOP uses an HSM to protect the keys.

Overview

Transparent Data Encryption (TDE) is used to encrypt an entire database in a way that does not require changes to existing queries and applications. A database encrypted with TDE is automatically decrypted when the database loads it into memory from disk storage, which means that a client can query the database within the server environment without having to perform any decryption operations. The database is encrypted again when saved to disk storage. When using TDE, data is not protected by encryption whilst in memory. The encryption keys that are used to encrypt the database are typically held as part of the database, but these keys are themselves encrypted using a master encryption key in order to protect them. Using an Entrust WSOP allows the master encryption keys to be kept physically separate from the database it is protecting, and also provides a hardware protected boundary from which encryption keys can never leave in plaintext. Additionally, the encryption keys are held by the WSOP server in the Security World which is also encrypted and is useless to anyone who does not possess the authorized means to access them.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Other benefits of using the nShield WSOP include:

Ability to store keys from all across an enterprise in one place for easy management.
Key Retention (rotate keys while keeping the old ones).
FIPS and Common Criteria compliance.