Open in app

Sign in

Write

Sign in

Implement Oracle TDE and TNS TLS in Oracle 19c running in a Docker Container

Ravi Verma
4 min readJan 5, 2021

In this article, I share with you implementing Oracle TDE and TNS SSL in an Oracle 19.9.0.0 database running as a Docker Container.

You can watch the video that accompanied this article at

I have a Docker network oracledb that I use for the Oracle Database.

[oracle@dockerhost dockerOracle19c]$ cat createNetwork.sh 
docker network create \ 
--driver=bridge \ 
--subnet=172.19.0.0/16 \ 
--ip-range=172.19.5.0/24 \ 
--gateway=172.19.5.254 \
oracledb

Here is the startup script for the Oracle container.

[oracle@dockerhost dockerOracle19c]$ cat startOracleKind.sh 
docker stop oracle19c docker run -dt --network=oracledb --name oracle19c --hostname dockerdb --user oracle --ip 172.19.5.10 \ 
-p 192.168.1.45:1521:1521 -p 192.168.1.45:5500:5500 
\ -e ORACLE_SID=UNKIND 
\ -e ORACLE_PDB=UNKINDPDB 
\ -v /oradrive/oradata/UNKIND/network/admin:/opt/oracle/product/19c/dbhome_1/network/admin \ 
-v /oradrive/oradata/UNKIND/dbs:/opt/oracle/product/19c/dbhome_1/dbs \ 
-v /oradrive/oradata/UNKIND/wallet:/opt/oracle/wallet \ 
-v /oradrive/oradata:/opt/oracle/oradata \
oracle/database:19.3.0-ee

Please make sure to assign a hostname to the container if you want TDE to work. The encryption keys take into account the hostname of the host server. If you don’t assign the hostname, Docker assigns a random hostname to each container and the TDE keys would not work.

Here is a Docker container I have running.

[oracle@dockerhost ~]$ docker ps 
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 
5b75b2c74d17 oracle/database:19.3.0-ee "/bin/sh -c 'exec $O..." 16 hours ago Up 16 hours 192.168.1.45:1521->1521/tcp, 192.168.1.45:5500->5500/tcp oracle19c

Persisting the wallet

You will see that I have a local folder /oradrive/oradata/UNKIND/wallet that maps to /opt/oracle/wallet in the container.

-v /oradrive/oradata/UNKIND/wallet:/opt/oracle/wallet \

For the first time creation of a wallet, we have to do it from within the container. The wallet would not work if you created it from outside the container.

Open a bash shell in the container

[oracle@localhost ~]$ docker exec -it oracle19c bash [oracle@dockerdb /]$ export wallet=/opt/oracle/wallet
[oracle@dockerdb ~]$ orapki wallet create -wallet $wallet -auto_login_local 
Oracle PKI Tool Release 21.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: Operation is successfully completed.

Add a self-signed certificate to the wallet

[oracle@dockerdb ~]$ orapki wallet add -wallet $wallet -dn "CN=dockerdb.hqsft.com" -keysize 4096 -self_signed -validity 3650 Oracle PKI Tool Release 21.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. Cannot modify auto-login (sso) wallet Enter wallet password:Operation is successfully completed.

Modify the listener.ora file to use the wallet

[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora 
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1)) 
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10 )(PORT = 1521)) (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10 )(PORT = 2484)) ) ) DEDICATED_THROUGH_BROKER_LISTENER=ON DIAG_ADR_ENABLED = off WALLET_LOCATION = 
(SOURCE = (METHOD = FILE) 
(METHOD_DATA = (DIRECTORY = /opt/oracle/wallet) ) ) SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ) SSL_CLIENT_AUTHENTICATION = FALSE 
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

Modify the sqlnet.ora file.

[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora NAME.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, HOSTNAME) 
LISTENER = 
(DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1)) 
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10 )(PORT = 1521)) (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10 )(PORT = 2484)) ) ) DEDICATED_THROUGH_BROKER_LISTENER=ON DIAG_ADR_ENABLED = off WALLET_LOCATION = 
(SOURCE = (METHOD = FILE) 
(METHOD_DATA = (DIRECTORY = /opt/oracle/wallet) ) ) SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ) SSL_CLIENT_AUTHENTICATION = FALSE 
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

Add entries to tnsnames.ora file to use TLS.

[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/tnsnames.ora 
UNKINDPDB=

 (DESCRIPTION =

  (ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10)(PORT = 1521))

  (CONNECT_DATA =

   (SERVER = DEDICATED)

   (SERVICE_NAME = UNKINDPDB)

  )

 )

UNKIND=
 (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10)(PORT = 1521))
  (CONNECT_DATA =
   (SERVER = DEDICATED)

  (SERVICE_NAME = UNKIND)

  )

 )

UNKINDSSL=
 (DESCRIPTION =

  (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10)(PORT = 2484))

  (CONNECT_DATA =

   (SERVER = DEDICATED)

  (SERVICE_NAME = UNKIND)

  )

 )

Check the tns name over SSL/TLS.

[oracle@dockerdb ~]$ tnsping unkindssl TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 03-JAN-2021 02:50:05 Copyright (c) 1997, 2020, Oracle. All rights reserved. Used parameter files: /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = UNKIND))) OK (30 msec)

Create an encrypted tablespace

Shutdown the database and mount it.

SQL> shutdown immediate; Database closed. Database dismounted. ORACLE instance shut down. SQL> startup mount; ORACLE instance started. Total System Global Area 1610610568 bytes Fixed Size 9136008 bytes Variable Size 452984832 bytes Database Buffers 1140850688 bytes Redo Buffers 7639040 bytes Database mounted.

Open the TDE Keystore

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY MyKeyPassword1234;keystore altered.

Open the database

SQL> alter database open; 
Database altered. 
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY MyKeyPassword1234 WITH BACKUP ; 
keystore altered. 
SQL> alter session set container=UNKINDPDB; Session altered. 
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY MyKeyPassword1234; keystore altered. 
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY covid192020 WITH BACKUP;
keystore altered.SQL> create tablespace test datafile '/opt/oracle/oradata/UNKIND/test01.dbf' size 2g autoextend on ENCRYPTION USING 'AES256' default storage(encrypt); 
Tablespace created.

Export the wallet to share with clients

[oracle@dockerdb wallet]$ orapki wallet export -wallet /opt/oracle/wallet -dn "CN=dockerdb.hqsft.com" -cert /opt/oracle/wallet/dockerdb.hqsft.com.crt
Oracle PKI Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.

The command above creates a public certificate file that you can view from the file system.

[oracle@dockerhost wallet]$ lscwallet.sso  cwallet.sso.lck  dockerdb.hqsft.com.crt  ewallet.p12  ewallet.p12.lck[oracle@dockerhost wallet]$ ls -l dockerdb.hqsft.com.crt-rw------- 1 oracle oinstall 1703 Jan 24 11:42 dockerdb.hqsft.com.crt[oracle@dockerhost wallet]$ cat dockerdb.hqsft.com.crt-----BEGIN CERTIFICATE-----MIIEvTCCAqUCEBRYZObfAx5hyrj4fDT1WDEwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAxMSZG9ja2VyZGIuaHFzZnQuY29tMB4XDTIxMDEyNDAyMTA1NVoXDTMxMDEyMjAyMTA1NVowHTEbMBkGA1UEAxMSZG9ja2VyZGIuaHFzZnQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi9UsbnmRK1y18GadWQB62DF3tkPJl40AgnzxEgkhAxy0U4vQOzE54UK5VHV4qp4A22hsv2Pu0xjnyEyvx7tigh1mI2rCJ6ZAHrf+R0wQe1XuZMZAn5qkEN4yg/7MXIr9ywuv7kgfAWqoZZQdY0+EAhrI3RqFq1Bmz+rXjHLV96c5YEk+a8yBOHxKN7BTP7UL+D3kiAHhBPc+AWHxEBZlQEb+iG5YT7JS6CW6rI8orhDVeL1D2/xlgcFfHq6vkWtEvgx1rwomwkfDBtJuK1J0wfpuIBadCkCAWBXJD7T5rQR/7T6xcVbfN39dMEe8kpBI51mOr7quvdB2kKmp78MRqn6ry2afxuKcJ5akw8q3mwzSCQSiHba2MfyETZr3OfyOsLjuXQ8F+gfvMxo2VIPZ3r5vuzW4KL5xBi3iqi0qIXpbtCMSwrJMXeUS/1mWcWeLod07CKOnn2Xj5DhpDU5K4iEcNYzzYoenaN9zv7aBPz0J6qFsBgm8pCCkTuygBkm3PykuSRdu3XZhReKSdmi2QWU5OJwR2+us9iYKXPwNO18E/N/rW4F33vPCcGfcHoodY3Udf+tvDOWRPJHKcLKm/lM85tv4JzBmKzdfy0NS33o3uAnfJ9ONaAinoYzu+TfWU+HSc+lXhkms2k0jWlNz84LWHlqRHJgZObDVaHjbHgcCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAEMxADQ2jzC4KanrEimsXYdJaI0J+NZx1yHjnPstQn6dxvX+v4D5jBvl12ttuWQ/24j9R2mZQ3QKwXP6TXAKYpPeyqtP2LSOESp0skvBGcq68fgKjI8Ufaa2Ic4/9CM2b2oB/5VYLBZIfCl12Li7tJUJeJZKOUWGQDBIYra8a6J41tlTJdZLlg1pSyhi4r7Q6hOzwncjKF4xq5La7Dum1e+MSwxuaq3mxzzuIpdiKQtQ3kXovbCDaC0oCBnM3Wk1Q263sPtNsH2kf/+bpIE8YBXWkFIZtnIx6ZwcsWHO97cLQNugEw+4Y6wTHyip9vX1Xt6d83VP75QNYUO1/pTtMI7UUAfXDbOEwTx42VusTMgZbrclcwlbUkMz6cQ5JCJYFaqa4tIXOjDWUvjuMfYzUaPAf0Rgqfe9kY4Oh0q9XnBmClSN2aMjADudbkA9QN5680fbd+w6RBjwaI7Ff1LU2iEpMy/pLdk8QDOEPFmwQ6Plnr8NtWgnt4lY26ISh7jbpx/VH57kZ+sC8WrE400Ymyi9kiPUPqHbHlowlzn4XSXZIBTugjyWzoUtXQygNG8h3uZIfaqVq8n6v1yLwkYsCKJTiC53HnoVTz8EaGWmfzddW43nBFqnTM+HKaJxnfqV8YklXBlDyE7yFPdgvuH/pOqp828/HmqRNDmeecdELqDc=-----END CERTIFICATE-----

Originally published at https://www.linkedin.com.

Docker
Oracle Database
Oracle Tde

--

--

Ravi Verma

Written by Ravi Verma

0 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams