12 Using sqlnet.ora to Configure Transparent Data Encryption Keystores

If you do not want to use the WALLET_ROOT and TDE_CONFIGURATION parameters to configure the keystore location, then you can use the sqlnet.ora file.

About the Keystore Location in the sqlnet.ora File

Oracle recommends that you use the WALLET_ROOT and TDE_CONFIGURATION parameters to configure the keystore location, but an alternative is to configure the sqlnet.ora file.

However, if you do want to configure the sqlnet.ora file instead, be aware that the instance initialization file-based approach using the WALLET_ROOT and TDE_CONFIGURATION parameters is recommended. It avoids the possibility of inconsistent configuration that can arise when using sqlnet.ora because each connection to the database re-reads the contents of the sqlnet.ora parameter file. With the instance initialization file based approach, because the WALLET_ROOT parameter is read only once when the database instance starts, there is no risk of inconsistency. In a multitenant environment, the use of the WALLET_ROOT initialization parameter initialization parameter is preferred over the use of sqlnet.ora because it enables each tenant PDB to perform independent management operations.

If you have not set the WALLET_ROOT and TDE_CONFIGURATION initialization parameters, then Oracle Database checks the sqlnet.ora file for the directory location of the keystore. This applies to whether the keystore is a software keystore, a hardware module security (HSM) keystore, or an Oracle Key Vault keystore. You must edit the sqlnet.ora file to define a directory location for the keystore that you plan to create. Ensure that this directory exists beforehand. Preferably, this directory should be empty.

Note the following behavior when you must edit the sqlnet.ora file in Oracle Real Application Clusters (Oracle RAC) or a multitenant environment:

  • In an Oracle RAC environment: If you are using the srvctl utility and if you want to include environment variables in the sqlnet.ora configuration file, then you must set these environment variables in both the operating system and the srvctl environment. Oracle recommends that you place the keystore on a shared file system, such as Oracle Automatic Storage Management (ASM) or NFS.

  • In a multitenant environment: Only united mode is supported if sqlnet.ora is used for TDE configuration in the multitenant environment. Isolated mode is only supported if the WALLET_ROOT and TDE_CONFIGURATION parameters are used for TDE configuration.

In the sqlnet.ora file, you must set the ENCRYPTION_WALLET_LOCATION parameter to specify the keystore location. However, be aware that ENCRYPTION_WALLET_LOCATION is deprecated, starting with Oracle Database release 19c in favor of using the WALLET_ROOT and TDE_CONFIGURATION initialization parameters.

By default, the sqlnet.ora file is located in the $ORACLE_BASE/network/admin directory (if the ORACLE_BASE environment variable is set) or $ORACLE_HOME/network/admin location, or in the location set by the TNS_ADMIN environment variable. Ensure that you have properly set the TNS_ADMIN environment variable to point to the correct sqlnet.ora file. When the keystore location is not set in the sqlnet.ora file, then the V$ENCRYPTION_WALLET view displays the default location. You can check the location and status of the keystore in the V$ENCRYPTION_WALLET view.

Configuring the sqlnet.ora File for a Software Keystore Location

The sqlnet.ora file can be used to configure the keystore location for a regular file system, for multiple database access, and for use with Oracle Automatic Storage Management (ASM).

  • To create a software keystore on a regular file system, use the following format when you edit the sqlnet.ora file:

    ENCRYPTION_WALLET_LOCATION=
     (SOURCE=
      (METHOD=FILE)
       (METHOD_DATA=
        (DIRECTORY=path_to_keystore)))
    

If the path_to_keystore will contain an environment variable, then set this variable in the environment where the database instance is started and before you start the database. If you are using the srvctl utility to start the database, then set the environment variable in the srvctl environment as well, using the following command:

srvctl setenv database -db database_name -env "environment_variable_name=environment_variable_value"

Note:

Starting with Oracle Database release 19c, the ENCRYPTION_WALLET_LOCATION parameter is deprecated. Instead, use the WALLET_ROOT static initialization parameter and the TDE_CONFIGURATION dynamic initialization parameter to configure the wallet location. WALLET_ROOT and TDE_CONFIGURATION can be used for a regular file system, multiple database access, and ASM.

Example: Configuring a Software Keystore for a Regular File System

You can configure a software keystore for a regular file system.

The following example shows how to configure a software keystore location in the sqlnet.ora file for a regular file system in which the database name is orcl.

ENCRYPTION_WALLET_LOCATION=
  (SOURCE=
   (METHOD=FILE)
    (METHOD_DATA=
     (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))

Note:

Starting with Oracle Database release 19c, the ENCRYPTION_WALLET_LOCATION parameter is deprecated. Instead, use the WALLET_ROOT static initialization parameter and the TDE_CONFIGURATION dynamic initialization parameter to configure the wallet location.

Example: Configuring a Software Keystore When Multiple Databases Share the sqlnet.ora File

You can configure multiple databases to share the sqlnet.ora file.

The following example shows how to configure a software keystore location when multiple databases share the sqlnet.ora file.

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/etc/ORACLE/WALLETS/$ORACLE_SID/)))

Note:

Starting with Oracle Database release 19c, the ENCRYPTION_WALLET_LOCATION parameter is deprecated. Instead, use the WALLET_ROOT static initialization parameter and the TDE_CONFIGURATION dynamic initialization parameter to configure the wallet location. You should set these parameters individually for each database.

Example: Configuring a Software Keystore for an Oracle Automatic Storage Management Disk Group

You can configure sqlnet.ora for an Oracle Automatic Storage Management (ASM) disk group.

The following format shows how to configure a software keystore if you want to create a software keystore location on an ASM disk group:

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=+disk_group_name/path_within_the_ASM_diskgroup)))

Note:

Starting with Oracle Database release 19c, the ENCRYPTION_WALLET_LOCATION parameter is deprecated. Instead, use the WALLET_ROOT static initialization parameter and the TDE_CONFIGURATION dynamic initialization parameter to configure the wallet location.