Implement Oracle TDE and TNS TLS in Oracle 19c running in a Docker Container

 

In this article, I share with you implement Oracle TDE and TNS SSL in an Oracle 19.9.0.0 database running as a Docker Container.

You can view the accompanying the video at https://youtu.be/RR0rG0QOkgI.

I have a Docker network oracledb that I use for the Oracle Database. 

[oracle@dockerhost dockerOracle19c]$ cat createNetwork.sh

docker network create \

  --driver=bridge \

  --subnet=172.19.0.0/16 \

  --ip-range=172.19.5.0/24 \

  --gateway=172.19.5.254 \

  oracledb

Here is the startup script for the Oracle container.

[oracle@dockerhost dockerOracle19c]$ cat startOracleKind.sh

docker stop oracle19c

docker run -dt --network=oracledb --name oracle19c --hostname dockerdb --user oracle --ip 172.19.5.10 \

-p 192.168.1.45:1521:1521 -p 192.168.1.45:5500:5500 \

-e ORACLE_SID=KIND \

-e ORACLE_PDB=KINDPDB \

-v /oradrive/oradata/KIND/network/admin:/opt/oracle/product/19c/dbhome_1/network/admin \

-v /oradrive/oradata/KIND/dbs:/opt/oracle/product/19c/dbhome_1/dbs \

-v /oradrive/oradata/KIND/wallet:/opt/oracle/wallet \

-v /oradrive/oradata:/opt/oracle/oradata \

oracle/database:19.3.0-ee

Please make sure to assign a hostname to the container if you want TDE to work.  The encryption keys take into account the hostname of the host server. If you don't assign the hostname, Docker assigns a random hostname to each container and the TDE keys would not work.

Here is a Docker container I have running.

[oracle@dockerhost ~]$ docker ps

CONTAINER ID   IMAGE                       COMMAND                  CREATED        STATUS        PORTS                                                      NAMES

5b75b2c74d17   oracle/database:19.3.0-ee   "/bin/sh -c 'exec $O…"   16 hours ago   Up 16 hours   192.168.1.45:1521->1521/tcp, 192.168.1.45:5500->5500/tcp   oracle19c

Persisting the wallet

You will see that I have a local folder /oradrive/oradata/KIND/wallet that maps to /opt/oracle/wallet in the container.

-v /oradrive/oradata/KIND/wallet:/opt/oracle/wallet \

For the first time creation of wallet, we have to do it from within the container. The wallet would not work if you created from outside the container.

Open a bash shell in the container

[oracle@localhost ~]$ docker exec -it oracle19c bash

[oracle@dockerdb /]$

Create an empty TDE wallet

[oracle@dockerdb ~]$ orapki wallet create -wallet $wallet -auto_login_local

Oracle PKI Tool Release 21.0.0.0.0 - Production

Version 21.0.0.0.0

Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.

Enter password:

Enter password again:

Operation is successfully completed.

Add a self-signed certificate to the wallet 

[oracle@dockerdb ~]$ orapki wallet add -wallet $wallet -dn "CN=dockerdb.hqsft.com" -keysize 4096 -self_signed -validity 3650

Oracle PKI Tool Release 21.0.0.0.0 - Production

Version 21.0.0.0.0

Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet

Enter wallet password:

Operation is successfully completed.

Modify the listener.ora file to use the wallet  

[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora

LISTENER =

(DESCRIPTION_LIST =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))

    (ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10 )(PORT = 1521))

    (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10 )(PORT = 2484))

  )

)

DEDICATED_THROUGH_BROKER_LISTENER=ON

DIAG_ADR_ENABLED = off

WALLET_LOCATION =

   (SOURCE =

     (METHOD = FILE)

     (METHOD_DATA =

       (DIRECTORY = /opt/oracle/wallet)

     )

   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

 

Modify the sqlnet.ora file.

[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora

NAME.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, HOSTNAME)

LISTENER =

(DESCRIPTION_LIST =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))

    (ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10 )(PORT = 1521))

    (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10 )(PORT = 2484))

  )

)

DEDICATED_THROUGH_BROKER_LISTENER=ON

DIAG_ADR_ENABLED = off

WALLET_LOCATION =

   (SOURCE =

     (METHOD = FILE)

     (METHOD_DATA =

       (DIRECTORY = /opt/oracle/wallet)

     )

   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

Add entries to tnsnames.ora file to use TLS.

[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/tnsnames.ora

UNKINDPDB=

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10)(PORT = 1521))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = UNKINDPDB)

    )

  )

UNKIND=

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10)(PORT = 1521))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

    (SERVICE_NAME = UNKIND)

    )

  )

UNKINDSSL=

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10)(PORT = 2484))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

    (SERVICE_NAME = UNKIND)

    )

  )

Check the tns name over SSL/TLS. 

[oracle@dockerdb ~]$ tnsping unkindssl

TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 03-JAN-2021 02:50:05

Copyright (c) 1997, 2020, Oracle.  All rights reserved.

Used parameter files:

/opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = UNKIND)))

OK (30 msec)

Create an encrypted tables space.

Shutdown the database and mount it. 

1. Create encrypted tablespaces in Oracle 19c Pluggable Database 

SQL> alter system set db_create_file_dest='/opt/oracle/oradata/UNKIND/' scope=both;

SQL> shutdown immediate;

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL> startup mount;

ORACLE instance started.

Total System Global Area 1610610568 bytes

Fixed Size                  9136008 bytes

Variable Size             452984832 bytes

Database Buffers         1140850688 bytes

Redo Buffers                7639040 bytes

Database mounted.

Open the TDE keystore 

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY MyKeyPassword1234;

keystore altered.

Open the database 

SQL> alter database open;

Database altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY  MyKeyPassword1234 WITH BACKUP ;

keystore altered.

SQL> show pdbs;

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED

---------- ------------------------------ ---------- ----------

         2 PDB$SEED                       READ ONLY  NO

         3 UNKINDPDB                      READ WRITE NO

SQL> alter session set container=UNKINDPDB;

Session altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY 

MyKeyPassword1234;

keystore altered.

SQL>  ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY covid192020 WITH BACKUP;

keystore altered.

SQL> create tablespace test datafile '/opt/oracle/oradata/UNKIND/test01.dbf' size 2g autoextend on ENCRYPTION USING 'AES256' default storage(encrypt);

Tablespace created.

SQL>

SQL> select tablespace_name from dba_tablespaces;

TABLESPACE_NAME

------------------------------

SYSTEM

SYSAUX

UNDOTBS1

TEMP

USERS

TEST