Autologin for HSM
This page describes how to simulate auto-login functionality for an HSM by using an additional software keystore to store the HSM partition password.
The PrimusHSM itself does not natively support auto-login. However, Oracle TDE allows similar behavior by storing the HSM password securely in an external software keystore.
Enable Auto-Login on the Software Keystore
Enable local auto-login for the software keystore:
ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '&wallet_root/tde' IDENTIFIED BY "<KeystorePassword>";
Temporarily Switch TDE Configuration
We need to use the local keystore to save the HSM password in the software keystore Change the TDE_CONFIGURATION parameter to cover the software keystore as well the HSM:
ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=FILE|HSM' SCOPE=BOTH;
Restart Database
Restart the database to make sure the software keystore is now the primary wallet. At this stage the HSM is not open. No master encryption keys are available, therefore one can not access encrypted data.
SHUTDOWN IMMEDIATE;
STARTUP;
Add HSM Password to Software Keystore
Add the HSM Password to the new software keystore. This will make sure, that it will be used when DB is restarted to open hardware keystore. We do use FORCE KEYSTORE as the software keystore is in autologin mode.
ADMINISTER KEY MANAGEMENT ADD SECRET '<HSMPassword>' FOR CLIENT 'HSM_PASSWORD' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP USING 'add_hsm_partition_password';
Reset TDE Configuration
Set the TDE_CONFIGURATION parameter to cover the software keystore as well the HSM, but now make the HSM primary:
ALTER SYSTEM SET TDE_CONFIGURATION = 'KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=SPFILE;
Restart Database
Restart the database to make sure the hardware keystore is now the primary wallet. During restart the hardware keystore will be opened using the HSM password stored in the software keystore.
After this we have the autologin functionality. You can fully access encrypted data.
SHUTDOWN IMMEDIATE;
STARTUP;
Verify Final Wallet and Key Status
Check the status of the software keystore
SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;
If the software keystore was created solely to support HSM auto-login, its status will be OPEN_NO_MASTER_KEY — which is expected, as it only stores the HSMPassword.
However, if the keystore was previously used and migrated to the HSM, it may still contain an old master encryption key, and its status will show as OPEN.
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_ORDER
--------- ------------------------------------------- ------------------- ---------------- ------------
FILE /u00/app/oracle/admin/TDEHSM01/wallet/tde/ OPEN_NO_MASTER_KEY LOCAL_AUTOLOGIN SINGLE
HSM OPEN HSM SINGLE
You can now view and modify the encrypted tablespace and columns without providing the passwords.