Implement Oracle TDE and TNS TLS in Oracle 19c running in a Docker Container

[oracle@dockerhost dockerOracle19c]$ cat createNetwork.sh 
docker network create \
--driver=bridge \
--subnet=172.19.0.0/16 \
--ip-range=172.19.5.0/24 \
--gateway=172.19.5.254 \
oracledb
[oracle@dockerhost dockerOracle19c]$ cat startOracleKind.sh 
docker stop oracle19c docker run -dt --network=oracledb --name oracle19c --hostname dockerdb --user oracle --ip 172.19.5.10 \
-p 192.168.1.45:1521:1521 -p 192.168.1.45:5500:5500
\ -e ORACLE_SID=UNKIND
\ -e ORACLE_PDB=UNKINDPDB
\ -v /oradrive/oradata/UNKIND/network/admin:/opt/oracle/product/19c/dbhome_1/network/admin \
-v /oradrive/oradata/UNKIND/dbs:/opt/oracle/product/19c/dbhome_1/dbs \
-v /oradrive/oradata/UNKIND/wallet:/opt/oracle/wallet \
-v /oradrive/oradata:/opt/oracle/oradata \
oracle/database:19.3.0-ee
[oracle@dockerhost ~]$ docker ps 
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5b75b2c74d17 oracle/database:19.3.0-ee "/bin/sh -c 'exec $O..." 16 hours ago Up 16 hours 192.168.1.45:1521->1521/tcp, 192.168.1.45:5500->5500/tcp oracle19c
-v /oradrive/oradata/UNKIND/wallet:/opt/oracle/wallet \
[oracle@localhost ~]$ docker exec -it oracle19c bash [oracle@dockerdb /]$ export wallet=/opt/oracle/wallet
[oracle@dockerdb ~]$ orapki wallet create -wallet $wallet -auto_login_local
Oracle PKI Tool Release 21.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again: Operation is successfully completed.
[oracle@dockerdb ~]$ orapki wallet add -wallet $wallet -dn "CN=dockerdb.hqsft.com" -keysize 4096 -self_signed -validity 3650 Oracle PKI Tool Release 21.0.0.0.0 - Production Version 21.0.0.0.0 Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. Cannot modify auto-login (sso) wallet Enter wallet password:Operation is successfully completed.
[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora 
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10 )(PORT = 1521)) (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10 )(PORT = 2484)) ) )
DEDICATED_THROUGH_BROKER_LISTENER=ON DIAG_ADR_ENABLED = off WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /opt/oracle/wallet) ) ) SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ) SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora NAME.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, HOSTNAME) 
LISTENER =
(DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10 )(PORT = 1521)) (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10 )(PORT = 2484)) ) ) DEDICATED_THROUGH_BROKER_LISTENER=ON DIAG_ADR_ENABLED = off WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /opt/oracle/wallet) ) ) SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ) SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
[oracle@dockerdb ~]$ cat /opt/oracle/product/19c/dbhome_1/network/admin/tnsnames.ora 
UNKINDPDB=

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10)(PORT = 1521))

(CONNECT_DATA =

(SERVER = DEDICATED)

(SERVICE_NAME = UNKINDPDB)

)

)

UNKIND=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.19.5.10)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)

(SERVICE_NAME = UNKIND)

)

)

UNKINDSSL=
(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10)(PORT = 2484))

(CONNECT_DATA =

(SERVER = DEDICATED)

(SERVICE_NAME = UNKIND)

)

)
[oracle@dockerdb ~]$ tnsping unkindssl TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 03-JAN-2021 02:50:05 Copyright (c) 1997, 2020, Oracle. All rights reserved. Used parameter files: /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.19.5.10)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = UNKIND))) OK (30 msec)
SQL> shutdown immediate; Database closed. Database dismounted. ORACLE instance shut down. SQL> startup mount; ORACLE instance started. Total System Global Area 1610610568 bytes Fixed Size 9136008 bytes Variable Size 452984832 bytes Database Buffers 1140850688 bytes Redo Buffers 7639040 bytes Database mounted.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY MyKeyPassword1234;keystore altered.
SQL> alter database open; 
Database altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY MyKeyPassword1234 WITH BACKUP ;
keystore altered.
SQL> alter session set container=UNKINDPDB; Session altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY MyKeyPassword1234; keystore altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY covid192020 WITH BACKUP;
keystore altered.
SQL> create tablespace test datafile '/opt/oracle/oradata/UNKIND/test01.dbf' size 2g autoextend on ENCRYPTION USING 'AES256' default storage(encrypt);
Tablespace created.
[oracle@dockerdb wallet]$ orapki wallet export -wallet /opt/oracle/wallet -dn "CN=dockerdb.hqsft.com" -cert /opt/oracle/wallet/dockerdb.hqsft.com.crt
Oracle PKI Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@dockerhost wallet]$ lscwallet.sso  cwallet.sso.lck  dockerdb.hqsft.com.crt  ewallet.p12  ewallet.p12.lck[oracle@dockerhost wallet]$ ls -l dockerdb.hqsft.com.crt-rw------- 1 oracle oinstall 1703 Jan 24 11:42 dockerdb.hqsft.com.crt[oracle@dockerhost wallet]$ cat dockerdb.hqsft.com.crt-----BEGIN CERTIFICATE-----MIIEvTCCAqUCEBRYZObfAx5hyrj4fDT1WDEwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAxMSZG9ja2VyZGIuaHFzZnQuY29tMB4XDTIxMDEyNDAyMTA1NVoXDTMxMDEyMjAyMTA1NVowHTEbMBkGA1UEAxMSZG9ja2VyZGIuaHFzZnQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi9UsbnmRK1y18GadWQB62DF3tkPJl40AgnzxEgkhAxy0U4vQOzE54UK5VHV4qp4A22hsv2Pu0xjnyEyvx7tigh1mI2rCJ6ZAHrf+R0wQe1XuZMZAn5qkEN4yg/7MXIr9ywuv7kgfAWqoZZQdY0+EAhrI3RqFq1Bmz+rXjHLV96c5YEk+a8yBOHxKN7BTP7UL+D3kiAHhBPc+AWHxEBZlQEb+iG5YT7JS6CW6rI8orhDVeL1D2/xlgcFfHq6vkWtEvgx1rwomwkfDBtJuK1J0wfpuIBadCkCAWBXJD7T5rQR/7T6xcVbfN39dMEe8kpBI51mOr7quvdB2kKmp78MRqn6ry2afxuKcJ5akw8q3mwzSCQSiHba2MfyETZr3OfyOsLjuXQ8F+gfvMxo2VIPZ3r5vuzW4KL5xBi3iqi0qIXpbtCMSwrJMXeUS/1mWcWeLod07CKOnn2Xj5DhpDU5K4iEcNYzzYoenaN9zv7aBPz0J6qFsBgm8pCCkTuygBkm3PykuSRdu3XZhReKSdmi2QWU5OJwR2+us9iYKXPwNO18E/N/rW4F33vPCcGfcHoodY3Udf+tvDOWRPJHKcLKm/lM85tv4JzBmKzdfy0NS33o3uAnfJ9ONaAinoYzu+TfWU+HSc+lXhkms2k0jWlNz84LWHlqRHJgZObDVaHjbHgcCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAEMxADQ2jzC4KanrEimsXYdJaI0J+NZx1yHjnPstQn6dxvX+v4D5jBvl12ttuWQ/24j9R2mZQ3QKwXP6TXAKYpPeyqtP2LSOESp0skvBGcq68fgKjI8Ufaa2Ic4/9CM2b2oB/5VYLBZIfCl12Li7tJUJeJZKOUWGQDBIYra8a6J41tlTJdZLlg1pSyhi4r7Q6hOzwncjKF4xq5La7Dum1e+MSwxuaq3mxzzuIpdiKQtQ3kXovbCDaC0oCBnM3Wk1Q263sPtNsH2kf/+bpIE8YBXWkFIZtnIx6ZwcsWHO97cLQNugEw+4Y6wTHyip9vX1Xt6d83VP75QNYUO1/pTtMI7UUAfXDbOEwTx42VusTMgZbrclcwlbUkMz6cQ5JCJYFaqa4tIXOjDWUvjuMfYzUaPAf0Rgqfe9kY4Oh0q9XnBmClSN2aMjADudbkA9QN5680fbd+w6RBjwaI7Ff1LU2iEpMy/pLdk8QDOEPFmwQ6Plnr8NtWgnt4lY26ISh7jbpx/VH57kZ+sC8WrE400Ymyi9kiPUPqHbHlowlzn4XSXZIBTugjyWzoUtXQygNG8h3uZIfaqVq8n6v1yLwkYsCKJTiC53HnoVTz8EaGWmfzddW43nBFqnTM+HKaJxnfqV8YklXBlDyE7yFPdgvuH/pOqp828/HmqRNDmeecdELqDc=-----END CERTIFICATE-----

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store