How can I resolve the error "ORA-28407: Hardware Security Module error detected" with configuring Oracle TDE for CloudHSM?

Last updated: 2019-10-24

I configured Oracle Database Transparent Data Encryption (TDE) for AWS CloudHSM in an Amazon Elastic Compute Cloud (Amazon EC2) instance. After creating the Oracle TDE master encryption key, I receive the error "ORA-28407: Hardware Security Module error detected".  

Short Description

The CloudHSM software library for PKCS#11 version 1.1.1 and later have stricter checks against supported PKCS#11 attributes. After creating the Oracle TDE master key, Oracle sets the CKA_MODIFIABLE attribute from True to False. Setting the CKA_MODIFIABLE attribute to False is denied because of the stricter checks.

For more information, see the PKCS #11 Library section in CloudHSM Client and Software Version 1.1.1.

Resolution

All CloudHSM PKCS#11 packages version 1.1.1 and later perform stricter checks. These checks can't be disabled. Instead, use the CloudHSM PKCS#11 package version 1.1.0. For all other CloudHSM client instances, use the latest version for the CloudHSM client and software libraries.

Note: It's a best practice to use the most recent version for the CloudHSM client and software libraries.


Did this article help you?

Anything we could improve?


Need more help?