Skip to main content

Step by Step How to Configure Software Keystore/ Oracle Wallet


<<Back to Oracle DB Security Main Page

How to Configure a Software Keystore

A software keystore is a container that stores the Transparent Data Encryption master encryption key.
To configure a software Keystore follow the steps below.
Step 1: Set the Keystore Location in the sqlnet.ora File
You can store the software keystore (also known as wallet) in file system or in ASM Diskgroup. Does not matter where you want to store the keystore you have modify the sqlnet.ora and make an entry accordingly
Make an entry as shown below in $ORACLE_HOME/network/admin/sqlnet.ora file
Example1: If Storing the Wallet in ASM
ENCRYPTION_WALLET_LOCATION=
 (SOURCE=(METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=+DG_TST_DATA/$ORACLE_SID/wallet)
   )
 )
 Example2: If Storing the Wallet in File System
ENCRYPTION_WALLET_LOCATION=
 (SOURCE=(METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/u01/dbatst1/admin/wallet/$ORACLE_SID)
   )
 )
NOTE: Ensure that the path you entered in DIRECTORY exists. If not create it
Step2: Create the Software KeyStore
There are three different types of software keystores. password-based,auto-login and local auto-login
You can read HERE about them in detail.

Creating the Password Based Software KeyStore

A> login as sysdba or as syskm
$ sqlplus "/as sysdba"
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
SQL>
B> The output below shows that there is no wallet present
SQL>set linesize 200
SQL>col WALLET_DIR for a32
SQL>col status for a21
SQL>select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- --------------------
NOT_AVAILABLE         /u01/dbatst1/admin/wallet/TST1T/ UNKNOWN
C> Create the Wallet
SQL>  ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/dbatst1/admin/wallet/TST1T/' IDENTIFIED BY xxxx;
keystore altered.
D> Check the Wallet Status
SQL>select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;

STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- --------------------
CLOSED                /u01/dbatst1/admin/wallet/TST1T/ UNKNOWN
$ ls -lrt /u01/dbatst1/admin/wallet/TST1T/
-rw------- 1 dbatst1 asmadmin 2408 Nov 20 16:03 ewallet.p12

Creating the Auto Login Software KeyStore
Follow all the steps (from A to D) from Step2 and then step E as shown below
E> Create Auto Login Wallet from Password Based Wallet
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/dbatst1/admin/wallet/TST1T/' IDENTIFIED BY xxxx;
keystore altered.
F> Check The Wallet Status
SQL> select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- --------------------
OPEN_NO_MASTER_KEY    /u01/dbatst1/admin/wallet/TST1T/ AUTOLOGIN
$ ls -lrt /u01/dbatst1/admin/wallet/TST1T/-rw------- 1 dbatst1 asmadmin 2408 Nov 20 16:03 ewallet.p12
-rw------- 1 dbatst1 asmadmin 2451 Nov 20 16:17 cwallet.sso

Creating the Local Auto Login Software KeyStore
Follow all the steps (from A to D) from Step2 and then step G as shown below
G> Create Local Auto Login Wallet from Password Based Wallet
SQL> ADMINISTER KEY MANAGEMENT CREATE LOCAL AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/dbatst1/admin/wallet/TST1T/' IDENTIFIED BY xxxx;
keystore altered.
H> Check The Wallet Status
SQL> select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- --------------------
OPEN_NO_MASTER_KEY    /u01/dbatst1/admin/wallet/TST1T/ LOCAL_AUTOLOGIN

 Step3: Open the Software KeyStore
A password-based software keystore must be manually opened before any TDE master encryption keys can be created or accessed in the keystore. You do not need to manually open auto-login or local auto-login software keystores These keystore are automatically opened when it is required.
Note: The  auto-login or local auto-login software keystores are opened even as soon as you select from V$ENCRYPTION_WALLET view

 A> Opening a Password Based Software Keystore
SQL> administer key management  set keystore open identified by xxxx;
keystore altered.
SQL> select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- --------------------
OPEN_NO_MASTER_KEY    /u01/dbatst1/admin/wallet/TST1T/ PASSWORD

 Step4: Set the Software TDE Master Encryption Key
For All PDBs in the CDB
SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY xxxx WITH BACKUP CONTAINER = ALL ;
keystore altered.
For a Specific PDB 
SQL> ALTER SESSION SET CONTAINER=PDB01
SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY xxx WITH BACKUP USING 'tde_key_backup' CONTAINER = CURRENT ;


keystore altered.

FORCE KEYSTORE option enables the keystore operation if the auto-login keystore is in use, or the keystore is closed the option is available from version 12.2 if you are still at 12.1 and want to use this option apply the patch for BUG 22826718 (Doc ID 1944507.1)
  • Once you have the KeyStore (wallet) you can store the master key for encrypting or decrypting the TDE table keys and tablespace encryption keys in this keystore. 
  • You can find if a keystore has no master key set or an unknown master key by querying the STATUS column of the V$ENCRYPTION_WALLET view.
  • In a multitenant environment, you can create and manage the TDE master encryption key from either the root or the PDB
  • You also can create TDE master encryption keys for use later on, and then manually activate them.
  • To set the master encryption key password based wallet must be open. If the auto-login software keystore is open,then you must close it and open the password-based software keystore.
  • If both the password-based keystore and auto-login keystores are present in the configured location and the password-based keystore is open, then the TDE master encryption key is automatically written to the auto-login keystore as well

 Step5: Encrypt your Data
Once you are done with Wallet (KeyStore) and key setup starting encrypting the confidential tables and columns to keep your data protected

 Related Posts
How to Encrypt Columns in Tables

Comments

  1. Chyna ReingerAugust 7, 2021 at 5:31 AM

    Hello there! I could have sworn I've been to this site before but after browsing through some of the post I realized it's new to me. Anyways, I'm definitely happy I found it and I'll be bookmarking and checking back frequently! shipping container sizes and prices

    ReplyDelete
  2. KITS TechnologiesAugust 7, 2021 at 7:05 AM

    web methods online courses
    business analyst online course
    oracle adf online course
    oracle rac online course
    msbi online course
    osb online training

    ReplyDelete
  3. UnknownSeptember 25, 2021 at 5:32 AM

    Social Beat is a digital growth partner for hyperscaling startups & top brands - Google Premier Partner, Preferred Facebook Marketing Partner. By digital marketing company in IndiaThe Best digital marketing agency in India which not only offers SEO, PPC, SMM, Branding but also provides 360° online marketing.

    Free Job Alert site is for Government,Sarkari Naukri,Banks,Railways,Police Recruitment, Results of IBPS,UPSC,SSC,RRB, Fresher IT Jobs and Walkins.

    How can I contact a match? What can I do with a free membership? How do I cancel my Premium subscription? Getting started - Read more: Elite Singles Contact Information:

    Qualified interior designers Gorakhpur has, will always ensure that the quality of work delivered is as per the expectations of their clients. Visit Now: Interior Designer in Gorakhpur, UP

    ReplyDelete
  4. FranticproDecember 26, 2021 at 11:56 PM

    Hi, I am John Smith I am Web Developer, It is an amazing blog thanks for the sharing the blog. Frantic infotech provide the ui /ux design android software such as an information about software development for costumer service. Franti infotech also provide the codeigniter web developer. The development of advanced web applications is Orient Software’s specialty and we will successfully fulfill all your web application development requirements, from small-sized to wider-ranged projects.

    ReplyDelete
  5. Karl MarksMarch 16, 2022 at 5:12 AM

    Thanks For Sharing this Informative Blog. Here you will Get the Best Digital Marketing Agency in India and Select the Best services, Like - SEO Services, PPC Services, Google Ads, SMO Services, etc.

    ReplyDelete
  6. Promote AbhiApril 19, 2022 at 5:09 AM

    Promote Abhi provide valuable & economical digital solutions for the customers in areas such as website designing, development & maintenance, graphic designing, digital marketing and mobile applications development. Promote Abhi provides best solutions for - website designing company delhi

    ReplyDelete
  7. HarryMay 1, 2022 at 10:42 PM

    Progressive Web Apps (PWAs) are a hybrid of a responsive website and a mobile application. They're mobile sites built with modern JavaScript frameworks and designed to function as if they were progressive native app. They can be added to the home screen of a mobile device via an icon. They, like apps, provide a full-screen experience to keep users engaged.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to Power On/off Oracle Exadata Machine

<<Back to Exadata Main Page How to Power On/off Oracle Exadata Machine Oracle Exadata machines can be powered on/off either by pressing the power button on front of the server or by logging in to the ILOM interface. Powering on servers using  button on front of the server The power on sequence is as follows. 1. Start Rack, including switches  Note:- Ensure the switches have had power applied for a few minutes to complete power on  configuration before starting Exadata Storage Servers 2.Start Exadata Storage Servers  Note:- Ensure all Exadata Storage Servers complete the boot process before starting the   database servers 3. Start Database Servers Powering On Servers Remotely using ILOM The ILOM can be accessed using the Web console, the command-line interface (CLI), IPMI, or SNMP. For example, to apply power to server dm01cel01 using IPMI, where dm01cel01-ilom is the host name of the ILOM for the server to be powered on, run the
Post a Comment
Read more

ORA-28374: typed master key not found in wallet

<<Back to Oracle DB Security Main Page ORA-46665: master keys not activated for all PDBs during REKEY SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY xxxx WITH BACKUP CONTAINER = ALL ; ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY xxxx WITH BACKUP CONTAINER = ALL * ERROR at line 1: ORA-46665: master keys not activated for all PDBs during REKEY I found following in the trace file REKEY: Create Key in PDB 3 resulted in error 46658 *** 2019-02-06T15:27:04.667485+01:00 (CDB$ROOT(1)) REKEY: Activation of Key AdnU5OzNP08Qv1mIyXhP/64AAAAAAAAAAAAAAAAAAAAAAAAAAAAA in PDB 3 resulted in error 28374 REKEY: Keystore needs to be restored from the REKEY backup.Aborting REKEY! Cause: All this hassle started because I accidently deleted the wallet and all wallet backup files too and also forgot the keystore password. There was no way to restore the wallet back. Fortunately in my case the PDB which had encrypted data was supposed to be deco
7 comments
Read more

How to Find VIP of an Oracle RAC Cluster

<<Back to Oracle RAC Main Page How to Find Out VIP of an Oracle RAC Cluster Login clusterware owner (oracle) and execute the below command to find out the VIP hostname used in Oracle RAC $ olsnodes -i node1     node1-vip node2     node2-vip OR $ srvctl config nodeapps -viponly Network 1 exists Subnet IPv4: 10.0.0.0/255.255.0.0/bondeth0, static Subnet IPv6: Ping Targets: Network is enabled Network is individually enabled on nodes: Network is individually disabled on nodes: VIP exists: network number 1, hosting node node1 VIP Name: node1-vip VIP IPv4 Address: 10.0.0.1 VIP IPv6 Address: VIP is enabled. VIP is individually enabled on nodes: VIP is individually disabled on nodes: VIP exists: network number 1, hosting node node2 VIP Name: node2-vip VIP IPv4 Address: 10.0.0.2 VIP IPv6 Address: VIP is enabled. VIP is individually enabled on nodes: VIP is individually disabled on nodes:
1 comment
Read more

ORA-16905: The member was not enabled yet

<<Back to Oracle DataGuard Main Page ORA-16905 Physical Standby Database is disabled DGMGRL> show configuration; Configuration - DG_ORCL1P   Protection Mode: MaxPerformance   Members:   ORCL1PP - Primary database     ORCL1PS - Physical standby database (disabled)       ORA-16905: The member was not enabled yet. Fast-Start Failover:  Disabled Configuration Status: SUCCESS   (status updated 58 seconds ago) DGMGRL> DGMGRL> enable database 'ORCL1PS'; Enabled. DGMGRL>  show configuration; Configuration - DG_ORCL1P   Protection Mode: MaxPerformance   Members:   ORCL1PP - Primary database     ORCL1PS - Physical standby database Fast-Start Failover:  Disabled Configuration Status: SUCCESS   (status updated 38 seconds ago)
Post a Comment
Read more

How to Switch Log File from All Instances in RAC

<<Back to Oracle RAC Main Page Switch The Log File of All Instances in Oracle RAC. In many cases you need to switch the logfile of the database. You can switch logfile using alter system switch logfile command but if you want to switch the logfile from all the instances you need to execute the command on all the instances individually and therefore you must login on all the instances. You can avoid this and switch logfile of all instances by just running the below command from any of the instance in RAC database SQL> ALTER SYSTEM SWITCH ALL LOGFILE;   System altered.
Post a Comment
Read more

ORA-65104: operation not allowed on an inactive pluggable database alter pluggable database open

<<Back to DB Administration Main Page ORA-65104: operation not allowed on an inactive pluggable database SQL> alter pluggable database TEST_CLON open; alter pluggable database TEST_CLON open * ERROR at line 1: ORA-65104: operation not allowed on an inactive pluggable database Cause The pluggable database status was UNUSABLE. It was still being created or there was an error during the create operation. A PDB can only be opened if it is successfully created and its status is marked as NEW in cdb_pdbs.status column SQL> select PDB_NAME,STATUS from cdb_pdbs; PDB_NAME             STATUS -------------------- --------------------------- PDB$SEED             NORMAL TEST_CLON            UNUSABLE Solution:  Drop the PDB and create it again. Related Posts How to Clone Oracle PDB (Pluggable Database) with in the Same Container
Post a Comment
Read more

ORA-46630: keystore cannot be created at the specified location

<<Back to DB Administration Main Page ORA-46630: keystore cannot be created at the specified location CDB011> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '+DATAC4/CDB01/wallet/' IDENTIFIED BY "xxxxxxx"; ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '+DATAC4/CDB01/wallet/' IDENTIFIED BY "EncTest123" * ERROR at line 1: ORA-46630: keystore cannot be created at the specified location Cause  Creating a keystore at a location where there is already a keystore exists Solution To solve the problem, use a different location to create a keystore (use ENCRYPTION_WALLET_LOCATION in sqlnet.ora file to specify the keystore location), or move this ewallet.p12 file to some other location. Note: Oracle does not recommend deleting keystore file (ewallet.p12) that belongs to a database. If you have multiple keystores, you can choose to merge them rather than deleting either of them.
Post a Comment
Read more

Starting RMAN and connecting to Database

  <<Back to Oracle Backup & Recovery Main Page Starting RMAN and connecting to Database Starting RMAN and connecting to Database To start RMAN you need to set the environment and type rman and press enter. You can connect to database either using connect command or using command line option. using command line option localhost:$ export ORACLE_HOME=/ora_app/product/18c/dbd2 localhost:$ export PATH=$ORACLE_HOME/bin:$PATH localhost:$ export ORACLE_SID=ORCL1P localhost:$ rman target / Recovery Manager: Release 18.0.0.0.0 - Production on Sun Apr 4 08:11:01 2021 Version 18.11.0.0.0 Copyright (c) 1982, 2018, Oracle and/or its affiliates.  All rights reserved. connected to target database: ORCL1P (DBID=4215484517) RMAN> using connect option localhost:$ rman RMAN> connect target sys@ORCL1P  target database Password:******** connected to target database: ORCL1P (DBID=4215484517) NOTE: To use connect command you need to ensure that  you have proper TNS sentry for database (ORCL
Post a Comment
Read more

How to Attach to a Datapump Job and Check Status of Export or Import

<<Back to Oracle DATAPUMP Main Page How to check the progress of  export or import Jobs You can attach to the export/import  job using ATTACH parameter of oracle datapump utility. Once you are attached to the job you check its status by typing STATUS command. Let us see how Step1>  Find the Export/Import Job Name You can find the datapump job information from  DBA_DATAPUMP_JOBS or  USER_DATAPUMP_JOBS view. SQL> SELECT OWNER_NAME,JOB_NAME,OPERATION,JOB_MODE,STATE from DBA_DATAPUMP_JOBS; OWNER_NAME JOB_NAME                       OPERATION            JOB_MODE   STATE ---------- ------------------------------ -------------------- ---------- ---------- SYSTEM     SYS_EXPORT_FULL_02             EXPORT               FULL       EXECUTING OR You can also find the job name for export/import in logfile in beginning itself. Step2>Attach to the Job and check status One you get the Export/Import Job Name attach the job and check its status. You can attach or det
7 comments
Read more

Step by Step how to Create Virtual Machine using Virtualbox

<<Back to Linux Main Page How to Create New Virtual Machine Using Oracle Virtual Box Step1:   Open Oracle Virtual Box --> Click New Provide Name, Type and Version as shown in the image below and click Next  Step2:  Adjust memory (RAM) as per the requirement and availability   and click Next.  NOTE:- Remember to leave enough memory for the host OS to work properly.  Step3:   Select the option to create a new virtual hard drive and click "Create"  (erzeugen) button.  Step4:  Accept Default and click next (weiter)   Step5: Accept the dynamically allocated option by clicking the "Next" (weiter) button.  Step6:  If you don't want to use the defaults, enter the required location, name and size of the virtual disk and click the "Create" (erzeugen) button. Note:- At this point your virtual machine is created and ready for OS installation Preparing the Virtual machine for Oracle RAC Installation Step1:   Select t
Post a Comment
Read more