What is Persistent Key Cache
It accomplishes this by reducing dependence on the state of the Oracle Key Vault server. The TDE master encryption key is cached in the persistent master encryption key cache in addition to the in-memory cache, to make the master encryption key available across database processes. It eliminates the need for databases to contact the Oracle Key Vault server for every new process, redo log switch, or database startup operation.
Conclusion :
- You can set EXPIRE PKCS11 PERSISTENT CACHE ON DATABASE SHUTDOWNfor individual endpoint databases that have been enrolled with Oracle Key Vault, or globally for all endpoint databases that have been enrolled in Oracle Key Vault. This parameter is not available in the ora configuration file for the database endpoint. To set this parameter, use the Oracle Key Vault management console. From <https://docs.oracle.com/en/database/oracle/key-vault/18.4/okvag/security_objects.html#GUID-24555337-3038-4798-9528-5B538FB0E5A9>
- Available from OKV 18 version onwards.
- Removing the ewallet.p12 file from Master Persistent Cache location OKV/$ORACLE_SID will clears the cache! Downloads the new file again from OKV server.
- Please find the below testing after changing Persistent Cache parameters.
- In Order to decrease the dependence OKV we need adjust the persistent cache parameters.
- Increase timings for cache_timeout, cache_refresh_windows
1.Take Before Database Footprint for validation.
Change persistence cache parameter {disable} on both nodes & Check/Note OKV Persistence cache directory details
./okvutil list -t okv_persistent_cache -l /u02/app/oracle/okv/t***z3
After Restart database
Revert back the PC Parameters & recycle databases.- When we re-enroll or delete the old ewallet.p12 file then it will tries to use new PC file.
Parameters Definitions:
The PKCS11_CACHE_TIMEOUT parameter sets how long a master encryption key is available in the in-memory cache.
The PKCS11_PERSISTENT_CACHE_TIMEOUT parameter sets how long the master encryption is available in the persistent cache.
The PKCS11_PERSISTENT_CACHE_FIRST parameter sets the persistent master encryption key cache operation mode.
The PKCS11_CONFIG_PARAM_REFRESH_INTERVAL parameter describes the frequency at which a long-running process will re-read the okvclient.ora configuration file.
The PKCS11_PERSISTENT_CACHE_REFRESH_WINDOW parameter extends time the master encryption key is available after it is cached in the persistent master encryption key cache.
OKV SSL Certificate Validation on OPC databases.
[oracle@dbadeeds ssl]$ orapki wallet display -wallet /u02/app/oracle/product/okv/T3DZ3_T53M03VM02/ssl Oracle PKI Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Requested Certificates: User Certificates: Subject: CN=XtmZtV6jCc,OU=Key_Vault,O=Oracle,L=Redwood_City,ST=California,C=us Trusted Certificates: Subject: CN=CA,OU=Key_Vault,O=Oracle,L=Redwood_City,ST=California,C=us [oracle@dbadeeds ssl]$ openssl pkcs12 -in ewallet.p12 -out certificate.pem -nodes Enter Import Password: MAC verified OK Warning unsupported bag type: secretBag [oracle@dbadeeds ssl]$ cat certificate.pem | openssl x509 -noout -enddate notAfter=Nov 20 09:34:43 2023 GMT <-- Matches with OKV certificate [oracle@dbadeeds ssl]$
DBADEEDS 
Leave a comment