How to Migrate TDE Oracle Wallets from File System to ASM ?
SOLUTION
Make sure to try this in Dev / Test environment to make sure it is working fine as expected.
Create a wallet in ASM location and then merge the local file system wallet content into the ASM new wallet and also update sqlnet.ora to point to ASM wallet location.
Below is the standard process to Migrate TDE Wallet from OS File System to ASM
1. Create new keystore in ASM by running:
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<ASM_location>' IDENTIFIED BY **** ;
2. Edit sqlnet.ora and set the ENCRYPTION_WALLET_LOCATION to point to ASM wallet.
3. Open the keystore.
SQL> administer key management set keystore open identified by *****;
4. Merge wallet contents:
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '<file_system_path>' IDENTIFIED BY <wallet_password> INTO EXISTING KEYSTORE '<ASM_location>' IDENTIFIED BY <wallet_password> WITH BACKUP;
Check the 12c documentation for more details.
https://docs.oracle.com/cloud/latest/db121/ASOAG/asotrans_mgr.htm#ASOAG10323
GOAL
How To copy the TDE Wallet From ASM to Local OS File.
SOLUTION
We will need to create a temporary keystore in any temporary location in the file-system and merge the keystore from the ASM to this file system.
Below is an example for that.
1) mkdir -p /tmp/TDEwallet/
2) Create a NEW keystore somewhere on the filesystem. Example:
SQL> administer key management create keystore '/tmp/TDEwallet/' identified by <password>;
3) Merge the renamed ASM keystore into the filesystem keystore.
Example:
SQL> administer key management merge keystore '+ASM_Wallet_Location' identified by "<Original Password>" into existing keystore '/tmp/TDEwallet/' identified by mywallet123 with backup;
NOTE: This requires that you know the password for the older ewallet file!
4) cd /tmp/TDEwallet/
5) ls -lrt
(This is to check and record the size of the file.)
6) orapki wallet display -wallet /tmp/TDEwallet/
(This will output the contents of the wallet.)
NOTE: This requires that you know the password for the password file.
CAUSE
looks like wallet files got corrupted and not able to view teh wallet content using orapki wallet display command
> orapki wallet display -wallet /oracle/P99/ewallet.p12 -pwd Sa*******
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
Got tag 10 instead of 16.
SOLUTION
+++++++++++++++
Take a valid backup of your wallet files ( ewallet.p12 and cwallet.sso)
create a temporary keystore in any temporary location in the file-system and merge the keystore from the old location to this new location
1. Create a new empty wallet using orapki at some other location than the original wallet.
$ pwd
$ orapki wallet create -wallet . -pwd ******
$ ls -ltr
-rw-rw-rw- 1 ewallet.p12.lck
-rw------- 1 ewallet.p12
2. Merge the existing keystore into newly created empty wallet. Here for the first Keystore there is no need to specify the password as it's Auto-Login.
SQL> ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '<Original/old Keystore location>' INTO EXISTING KEYSTORE '' IDENTIFIED BY WITH BACKUP;
keystore altered.
3. Now Just check the contents of the newly Merged wallet and make sure it's same as the original wallet
cd
$ ls -ltr
-rw------- 1 ewallet.p12
-rw------- 1 cwallet.sso
$ orapki wallet display -wallet
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.
4. At this point if it's checked it didn't affect the existing wallet
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
------------------------------------------------------------------------------------------------
FILE OPEN AUTOLOGIN SINGLE NO 0
5. change the wallet location in sqlnet.ora incase of 12c .
if you are in 19c and using wallet_root and tde_configuration parameter then change them accordingly.
-
As per the above note IDs, there is no way to recreate / decrypt the password.
Raised a SR and they provided me the below action plan and it worked in my case.
1.Take a backup of folder /u01/appdata/config/wallet/xx/tde to /u01/appdata/config/wallet/xxxxx/tde_backup
2.Create a folder tde_temp under /xxx/appdata/config/wallet/xxxx/
3.Connect to DB as sys and run the commands below.Provide any new value for password
SQL>ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/xxx/appdata/config/wallet/xxx/tde_temp' IDENTIFIED BY <password>;
SQL>!ls -ltr /xxxx/appdata/config/wallet/xxx/tde_temp
SQL>ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/***/appdata/config/wallet/xxx/tde' INTO EXISTING KEYSTORE '/xxx/appdata/config/wallet/xxxx/tde_temp' IDENTIFIED BY <password> WITH BACKUP;
SQL>!ls -ltr /xxxx/appdata/config/wallet/xxxxx/tde_temp
SQL>ADMINISTER KEY MANAGEMENT CREATE auto_login keystore from keystore '/xxxx/appdata/config/wallet/xxxx/tde_temp' identified by "<password>";
4.Run the commands below and provide the output
$cd /xxxx/appdata/config/wallet/xxxx/tde_temp
$ls -ltr
$mkstore -wrl /xxxx/appdata/config/wallet/xxxx/tde_temp -viewEntry
$orapki wallet display -wallet /xxx/appdata/config/wallet/xxxx/tde_temp
Checked the "orapki wallet display" for Password >> Successful
Checked the actual keys for the tablespaces >> Successfully matching the key in Wallet >>you are fine to use the wallet
Now,
-- rename the existing wallet file (ewallet.p12)
-- rename old autologin - (cwallet.sso)
-- copy the new wallet (ewallet.p12) to the actual location
-- restart database ( all instances in case of RAC)
-- startup Database (one instance in RAC)
-- Open wallet with new password
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <wallet_password>;
-- Create new Autologin
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<wallet_location>' IDENTIFIED BY <wallet_password>;
-- copy new ewallet.p12 file and new cwallet.ssp file to all instances location
-- start other instance
Note - This action plan might not work in every case
-
SureshMuddaveerappa Sr Data Warehouse Architect Posts: 15,669 Tanzanite
Hello User_62P17,
In your case it worked out well since the original wallet by itself was fine (along with the contents including the needed TDE keys). The only issue in your situation was the 'lost' password. Due to this into the new temp wallet (that was created) the original TDE keys (from the 'lost' wallet) could be merged.
... the "orapki wallet display" for Password >> Successful
This is coming from the new wallet you had to create. Good to know you were able to salvage and thanks on the update.
Cheers -- Suresh
963
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
