Skip to main content

How to Synchronize Primary Database Keystore with Physical Standby


<<Back to Oracle DB Security Main Page

How to Copy Keystore (Wallet) stored in ASM from Primary to Physical Standby

Assumptions:

  •  It is assumed that the Keystore is already configured on Primary as well as on Standby Database
  • Keys in Primary Database Keystore are not synchronized with the Physical Standby Database Keystore
Step1: Create empty keystore in any other location on File system on primary
SQL> administer key management create keystore '/u01/app/Keystore/backup' identified by xxxx;

 Step2:Merge both keystores, Kestore in ASM and Kestore created in file system
SQL> administer key management merge keystore '+DG_TST_DATA/TST1T/wallet' identified by xxxx into existing keystore '/u01/app/Keystore/backup' identified by xxxx with backup;
NOTE: First password is the keystore password for Keystore on ASM and second password is the keystore password for Keystore in file system

 Step3:Copy the file to standby Database
Use your favorite tool eg scp or winscp and copy the merged keystore on Standby database server

 Step4: Merge the Keystore into existing keystore at Physical Standby
SQL> administer key management merge keystore  '/u01/app/Keystore/backup' identified by xxxx into existing keystore '+DG_TST_DATA/TST2T/wallet' identified by xxxx with backup;
NOTE: First password is the keystore password for Keystore on file system and second password is the keystore password for Keystore in ASM at Standby
Also adjust the location '/u01/app/Keystore/backup' to the location where you have copied the keystore on standby server

 Step5: Bounce the standby database.

 Step6: Run command to verify the key in standby server.
SQL> select * from v$encryption_wallet;
SQL> select key_id from v$encryption_keys;

 Note: If the keys are not visible then follow the below steps (of course on standby database)
Step7: Close the AUTO/LOCAL AUTO LOGIN WALLET
SQL>  administer key management set keystore close;
Step8: Open the Password Based Wallet

SQL>  administer key management set keystore open identified by xxxx;
Step9: Verify the Keys in Password Based Wallet
SQL> select * from v$encryption_wallet;
SQL> select key_id from v$encryption_keys;

 If the Keys are merged and are present in Password based wallet you need to Rebuild the AUTO/LOCAL AUTO LOGIN WALLET to synchronize it with Password based wallet


Step10: Rebuild AUTO/LOCAL AUTO LOGIN WALLET

1> backup the cwallet.sso file
 ASMCMD> mv  cwallet.sso  cwallet.sso_bkp
2> Create the AUTO/LOCAL AUTO LOGIN WALLET from Password Based Wallet
SQL> ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE  '+DG_TST_DATA/TST2T/wallet' IDENTIFIED BY "xxxxxx";
3> Close the Password Based Wallet
SQL>  administer key management set keystore close identified by xxxx;

4> Run command to verify the key in standby server.
SQL> select * from v$encryption_wallet;
SQL> select key_id from v$encryption_keys;



Related Articles:
Step by Step How to Configure Software Keystore/ Oracle Wallet


Comments

Post a Comment