Migrating TDE From Wallet To HSM, Goldengate fails with "ORA-28407: Hardware Security Module Error Detected" (Doc ID 1553227.1)

Last updated on MAY 17, 2017

Applies to:

Oracle GoldenGate - Version 11.2.1.0.3 and later
Information in this document applies to any platform.

Symptoms

The table and tablespace keys can be encrypted using the master key. The master key is stored in an external security module (ESM) that can be one of the following:
- an Oracle Wallet - a secure container outside of the database. It is encrypted with a password.
- a Hardware Security Module (HSM) - a device used to secure keys and perform cryptographic operations. Oracle interfaces to the device using a PKCS#11 library supplied by the HSM vendor.

Currently it is possible to migrate the TDE master keys from the Oracle wallet to a HSM but it is not supported to migrate the master keys from the HSM back to the wallets.
Once the database has used a HSM wallet, it cannot be migrated back to wallets stored in file-

Before starting the migration the merge Patch 13893640 that fixes failure in heartbeat signal sent to HSM and provides auto-open HSM functionality on Unix / Linux systems has been installed.
The auto-login feature is available for HSM because 11789943 11863940 are already applied.

Oracle GoldenGate worked with a local wallet, the database encrypted data with AES 128-bit, Oracle GoldenGate successfully handled using the shared secret and proceeds to successfully encrypt/decrypt trail data,
again using AES 128. But after introducing HSM, Oracle GoldenGate fails with

2013-04-22 11:04:50 ERROR OGG-01028 Oracle GoldenGate Capture for Oracle, ETEST_A.prm: ORA-28407: Hardware Security Module error detected
ORA-06512: at "SYS.DBMS_INTERNAL_CLKM", line 3
ORA-06512: at line 1.

Via sqlplus as the Oracle GoldenGate user, you can still perform DML on the table in the TDE tablespace that Oracle Goldengate Extract is erroring with.

Changes

Migration of the TDE master keys from the Oracle wallet to HSM

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms