We are testing a particular HSM to use replace the Oracle wallet and user as a key-store for column encryption. We are using redundant HSMs so that things will continue to run even with a complete loss of one HSM. This works fine when connectivity is lost to one HSM at a time.
The problem we found is that when there is a complete loss of connectivity to both devices, a restoration of connectivity is not sufficient to continue to allow decryption of encrypted columns. The only way we found to restore connectivity in this scenario is to restart the instance.
The question is, which of these do our findings represent?
1. A problem with the way we have configured the HSM.
2. A limitation of this particular HSM.
3. A limitation of the way the Oracle database works with any HSM.
The database is fine when this happens, only access to the encrypted columns is lost, but even when connectivity to the HSMs is restored (verified using HSM tools from the database server), the database continues to act as though the HSMs are unavailable. Everything else in the database is fine, only access to the encrypted columns is unavailable. The alert log gives no indication of any issues.
Asked by Leigh Riffel
(23884 rep)
Jul 21, 2017, 01:21 PM
Last activity: Mar 27, 2023, 04:20 AM
Last activity: Mar 27, 2023, 04:20 AM