Troubleshooting

This page lists the common troubleshooting activities that should be considered while setting up your Oracle TDE with Securosys HSM.

Securosys Troubleshooting

The setup used in this document relies on the Securosys PKCS#11 Provider as a means of connecting to your HSM partition.

You can follow the instructions provided on the Testing and Troubleshooting page for more information and answers.

Oracle Troubleshooting

On this page, you can find common commands and use cases when debugging issues with Oracle TDE setup.

Verify the Software Keystore:

SET LINESIZE 160 PAGESIZE 200
COL wrl_type FOR A10
COL wrl_parameter FOR A50
COL status FOR A20
COL wallet_type FOR A20
COL wallet_order FOR A20
SELECT wrl_type, wrl_parameter, status, wallet_type,wallet_order FROM v$encryption_wallet;

Verify the Encryption Keys:

SET LINESIZE 160 PAGESIZE 200
ALTER SESSION SET nls_timestamp_tz_format="DD.MM.YYYY HH24:MI:SS";
COL key_id FOR A52
COL tag FOR A10
COL creation_time FOR A19
COL activation_time FOR A19
COL creator FOR A10
COL user FOR A10
COL key_use FOR A7
COL creator_dbname FOR A10
COL backed_up FOR A8

SELECT key_id, tag, creation_time, activation_time, creator, user, key_use, backed_up, creator_dbname FROM v$encryption_keys;

Check PKCS#11 Library

Ensure that your oracle user has the correct permissions over the Primus Library files:

#here the path for the library assumes that the PKCS#11 version is 2.3.4, but this can differ
chown oracle:oinstall /opt/oracle/extapi/64/hsm/primus/2.3.4/libprimusP11.so

Verify if we have the corresponding library loaded. Below command is intend to be used directly from SQLPlus. Otherwise you would have to omit host.

host pmap $(pgrep -f ora_gen0_.*) | grep libprimusP11