12 Using sqlnet.ora to Configure Transparent Data Encryption Keystores
If you do not want to use the WALLET_ROOT
and TDE_CONFIGURATION
parameters to configure the keystore location, then you can use the sqlnet.ora
file.
- About the Keystore Location in the sqlnet.ora File
Oracle recommends that you use theWALLET_ROOT
andTDE_CONFIGURATION
parameters to configure the keystore location, but an alternative is to configure thesqlnet.ora
file. - Configuring the sqlnet.ora File for a Software Keystore Location
Thesqlnet.ora
file can be used to configure the keystore location for a regular file system, for multiple database access, and for use with Oracle Automatic Storage Management (ASM). - Example: Configuring a Software Keystore for a Regular File System
You can configure a software keystore for a regular file system. - Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
You can configure multiple databases to share thesqlnet.ora
file. - Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
You can configuresqlnet.ora
for an Oracle Automatic Storage Management (ASM) disk group.
Parent topic: Using Transparent Data Encryption
About the Keystore Location in the sqlnet.ora File
Oracle recommends that you use the WALLET_ROOT
and TDE_CONFIGURATION
parameters to configure the keystore location, but an alternative is to configure the sqlnet.ora
file.
However, if you do want to configure the sqlnet.ora
file instead, be aware that the instance initialization file-based approach using the WALLET_ROOT
and TDE_CONFIGURATION
parameters is recommended. It avoids the possibility of inconsistent configuration that can arise when using sqlnet.ora
because each connection to the database re-reads the contents of the sqlnet.ora
parameter file. With the instance initialization file based approach, because the WALLET_ROOT
parameter is read only once when the database instance starts, there is no risk of inconsistency. In a multitenant environment, the use of the WALLET_ROOT
initialization parameter initialization parameter is preferred over the use of sqlnet.ora
because it enables each tenant PDB to perform independent management operations.
If you have not set the WALLET_ROOT
and TDE_CONFIGURATION
initialization parameters, then Oracle Database checks the sqlnet.ora
file for the directory location of the keystore. This applies to whether the keystore is a software keystore, a hardware module security (HSM) keystore, or an Oracle Key Vault keystore. You must edit the sqlnet.ora
file to define a directory location for the keystore that you plan to create. Ensure that this directory exists beforehand. Preferably, this directory should be empty.
Note the following behavior when you must edit the sqlnet.ora
file in Oracle Real Application Clusters (Oracle RAC) or a multitenant environment:
-
In an Oracle RAC environment: If you are using the
srvctl
utility and if you want to include environment variables in thesqlnet.ora
configuration file, then you must set these environment variables in both the operating system and thesrvctl
environment. Oracle recommends that you place the keystore on a shared file system, such as Oracle Automatic Storage Management (ASM) or NFS. -
In a multitenant environment: Only united mode is supported if
sqlnet.ora
is used for TDE configuration in the multitenant environment. Isolated mode is only supported if theWALLET_ROOT
andTDE_CONFIGURATION
parameters are used for TDE configuration.
In the sqlnet.ora
file, you must set the ENCRYPTION_WALLET_LOCATION
parameter to specify the keystore location. However, be aware that ENCRYPTION_WALLET_LOCATION
is deprecated, starting with Oracle Database release 19c in favor of using the WALLET_ROOT
and TDE_CONFIGURATION
initialization parameters.
By default, the sqlnet.ora
file is located in the $ORACLE_BASE/network/admin
directory (if the ORACLE_BASE
environment variable is set) or $ORACLE_HOME/network/admin
location, or in the location set by the TNS_ADMIN
environment variable. Ensure that you have properly set the TNS_ADMIN
environment variable to point to the correct sqlnet.ora
file. When the keystore location is not set in the sqlnet.ora
file, then the V$ENCRYPTION_WALLET
view displays the default location. You can check the location and status of the keystore in the V$ENCRYPTION_WALLET
view.
Configuring the sqlnet.ora File for a Software Keystore Location
The sqlnet.ora
file can be used to configure the keystore location for a regular file system, for multiple database access, and for use with Oracle Automatic Storage Management (ASM).
-
To create a software keystore on a regular file system, use the following format when you edit the
sqlnet.ora
file:ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=path_to_keystore)))
If the path_to_keystore
will contain an environment variable, then set this variable in the environment where the database instance is started and before you start the database. If you are using the srvctl
utility to start the database, then set the environment variable in the srvctl
environment as well, using the following command:
srvctl setenv database -db database_name -env "environment_variable_name=environment_variable_value"
Note:
Starting with Oracle Database release 19c, theENCRYPTION_WALLET_LOCATION
parameter is deprecated. Instead, use the WALLET_ROOT
static initialization parameter and the TDE_CONFIGURATION
dynamic initialization parameter to configure the wallet location. WALLET_ROOT
and TDE_CONFIGURATION
can be used for a regular file system, multiple database access, and ASM.
Example: Configuring a Software Keystore for a Regular File System
You can configure a software keystore for a regular file system.
The following example shows how to configure a software keystore location in the sqlnet.ora
file for a regular file system in which the database name is orcl
.
ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))
Note:
Starting with Oracle Database release 19c, theENCRYPTION_WALLET_LOCATION
parameter is deprecated. Instead, use the WALLET_ROOT
static initialization parameter and the TDE_CONFIGURATION
dynamic initialization parameter to configure the wallet location.
Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File
You can configure multiple databases to share the sqlnet.ora
file.
The following example shows how to configure a software keystore location when multiple databases share the sqlnet.ora
file.
ENCRYPTION_WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/etc/ORACLE/WALLETS/$ORACLE_SID/)))
Note:
Starting with Oracle Database release 19c, theENCRYPTION_WALLET_LOCATION
parameter is deprecated. Instead, use the WALLET_ROOT
static initialization parameter and the TDE_CONFIGURATION
dynamic initialization parameter to configure the wallet location. You should set these parameters individually for each database.
Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group
You can configure sqlnet.ora
for an Oracle Automatic Storage Management (ASM) disk group.
The following format shows how to configure a software keystore if you want to create a software keystore location on an ASM disk group:
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=+disk_group_name/path_within_the_ASM_diskgroup)))
Note:
Starting with Oracle Database release 19c, theENCRYPTION_WALLET_LOCATION
parameter is deprecated. Instead, use the WALLET_ROOT
static initialization parameter and the TDE_CONFIGURATION
dynamic initialization parameter to configure the wallet location.