<<Back to Oracle DB Security Main Page
How to Copy Keystore (Wallet) stored in ASM from Primary to Physical Standby
Assumptions:- It is assumed that the Keystore is already configured on Primary as well as on Standby Database
- Keys in Primary Database Keystore are not synchronized with the Physical Standby Database Keystore
SQL> administer key management create keystore '/u01/app/Keystore/backup' identified by xxxx;
Step2:Merge both keystores, Kestore in ASM and Kestore created in file system
SQL> administer key management merge keystore '+DG_TST_DATA/TST1T/wallet' identified by xxxx into existing keystore '/u01/app/Keystore/backup' identified by xxxx with backup;
NOTE: First password is the keystore password for Keystore on ASM and second password is the keystore password for Keystore in file system
Step3:Copy the file to standby Database
Use your favorite tool eg scp or winscp and copy the merged keystore on Standby database server
Step4: Merge the Keystore into existing keystore at Physical Standby
SQL> administer key management merge keystore '/u01/app/Keystore/backup' identified by xxxx into existing keystore '+DG_TST_DATA/TST2T/wallet' identified by xxxx with backup;
NOTE: First password is the keystore password for Keystore on file system and second password is the keystore password for Keystore in ASM at Standby
Also adjust the location '/u01/app/Keystore/backup' to the location where you have copied the keystore on standby server
Step5: Bounce the standby database.
Step6: Run command to verify the key in standby server.
SQL> select * from v$encryption_wallet;
SQL> select key_id from v$encryption_keys;
Note: If the keys are not visible then follow the below steps (of course on standby database)
Step7: Close the AUTO/LOCAL AUTO LOGIN WALLET
SQL> administer key management set keystore close;
Step8: Open the Password Based Wallet
SQL> administer key management set keystore open identified by xxxx;
Step9: Verify the Keys in Password Based Wallet
SQL> select * from v$encryption_wallet;
SQL> select key_id from v$encryption_keys;
SQL> select key_id from v$encryption_keys;
If the Keys are merged and are present in Password based wallet you need to Rebuild the AUTO/LOCAL AUTO LOGIN WALLET to synchronize it with Password based wallet
Step10: Rebuild AUTO/LOCAL AUTO LOGIN WALLET
1> backup the cwallet.sso file
ASMCMD> mv cwallet.sso cwallet.sso_bkp
2> Create the AUTO/LOCAL AUTO LOGIN WALLET from Password Based Wallet
SQL> ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '+DG_TST_DATA/TST2T/wallet' IDENTIFIED BY "xxxxxx";
3> Close the Password Based Wallet
SQL> administer key management set keystore close identified by xxxx;
4> Run command to verify the key in standby server.
SQL> select * from v$encryption_wallet;
SQL> select key_id from v$encryption_keys;
SQL> select key_id from v$encryption_keys;
Step by Step How to Configure Software Keystore/ Oracle Wallet
Comments
Post a Comment