We are attempting to configure TDE to work with nCipher connect+ HSM(hardware security module) to store the keys. We are using version 18.10.0.0.200414 of the db on Windows 2016 server and v12.3 of the nCipher software. We've followed both the oracle docs(advanced security manual) and the nCipher instructions to perform configuration and it works as long as we don't exit the sqlplus session. Once we exit sqlplus the db loses connectivity with the HSM and we get the error below in the alert.log.
kzthsmcc3: HSM heartbeat died. Likely the connection
has been lost. PKCS11 function C_EncryptInit returned
PKCS11 error code: 400
HSM connection lost, closing wallet
kzthsmterm: C_CloseSession threw PKCS#11 error 400
kzthsmterm: C_Finalize threw PKCS11 error 400
This are the commands we ran:
Installed the nCipher keysafe v1.30.1 client software on the windows 2016 db server.
Created dir and copied dll to here:
C:\oracle\extapi\32\hsm\nCipher\v12.30\libcknfast.dll
In sqlplus session, we connect to the local db then issue:
alter system set WALLET_ROOT='E:\app\oracle\admin\common\wallets\<SID_NAME>' scope=spfile;
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=spfile ;
bounced the db
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "hardware_keystore_password";
keystore altered.
SQL>
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC
------------------------------ -------------------- --------- -------- ---------
CON_ID
----------
HSM
OPEN HSM SINGLE NONE UNDEFINED
0
Set HSM master encryption key:
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "hardware_keystore_credentials";
Command succeeds, I can see new key created on HSM dashboard but when we exit sql*plus I see error in alert.log and when I log back into sqlplus it shows the wallet is closed. We've tried creating auto login wallet but it still gives same error after exiting sql*plus. Any ideas on what is causing loss of connection to HSM?