Skip to Main Content
Forums

Database Software

tde heartbeat with hsm gets disconnected

Flabbergasted GeorgeSep 4 2020 — edited Sep 8 2020

We are attempting to configure TDE to work with nCipher connect+ HSM(hardware security module) to store the keys.  We are using version 18.10.0.0.200414 of the db on Windows 2016 server and v12.3 of the nCipher software.  We've followed both the oracle docs(advanced security manual) and the nCipher instructions to perform configuration and it works as long as we don't exit the sqlplus session.  Once we exit sqlplus the db loses connectivity with the HSM and we get the error below in the alert.log.

kzthsmcc3: HSM heartbeat died. Likely the connection

has been lost. PKCS11 function C_EncryptInit returned

PKCS11 error code: 400

HSM connection lost, closing wallet

kzthsmterm: C_CloseSession threw PKCS#11 error 400

kzthsmterm: C_Finalize threw PKCS11 error 400

This are the commands we ran:

Installed the nCipher keysafe v1.30.1 client software on the windows 2016 db server.

Created dir and copied dll to here:

C:\oracle\extapi\32\hsm\nCipher\v12.30\libcknfast.dll

In sqlplus session, we connect to the local db then issue:

alter system set WALLET_ROOT='E:\app\oracle\admin\common\wallets\<SID_NAME>' scope=spfile;

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=spfile ;

bounced the db

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN  IDENTIFIED BY "hardware_keystore_password";

keystore altered.

SQL>

SQL> select * from v$encryption_wallet;

WRL_TYPE

--------------------

WRL_PARAMETER

--------------------------------------------------------------------------------

STATUS                         WALLET_TYPE          WALLET_OR KEYSTORE FULLY_BAC

------------------------------ -------------------- --------- -------- ---------

    CON_ID

----------

HSM

OPEN                           HSM                  SINGLE    NONE     UNDEFINED

         0

Set HSM master encryption key:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "hardware_keystore_credentials";

Command succeeds, I can see new key created on HSM dashboard but when we exit sql*plus I see error in alert.log and when I log back into sqlplus it shows the wallet is closed.  We've tried creating auto login wallet but it still gives same error after exiting sql*plus.  Any ideas on what is causing loss of connection to HSM?
Comments
Post Details
Added on Sep 4 2020
#database-security, #database-security-general
2 comments
142 views