I've searched a few blogs, documents, posts, discussions etc. to try to work out how to configure encryption so I can create an encrypted tablespace to test our application against.
They all seem to talk about Linux or pre 12c, but from those I've arrived at the following for my Windows 10 attempt:
DEFINE wallet_root='... path ...'
This value ends with a "\" and refers to a folder which contains the ewallet.p12 and cwallet.sso files
DEFINE encpassword=' ... '
16 characters with two upper case letters, 3 numbers, a special character (@), and 10 lower case letters
not literally, you understand :-).
ALTER SYSTEM SET wallet_root = q'<&&wallet_root>' SCOPE=SPFILE;
SHUTDOWN IMMEDIATE;
STARTUP;
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=file" SCOPE=BOTH;
SHUTDOWN IMMEDIATE;
STARTUP;
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE q'<&&wallet_root>' IDENTIFIED BY "&&encpassword";
-- this created the ewallet.p12 file as expected
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE q'<&&wallet_root>' IDENTIFIED BY "&&encpassword";
-- this created the cwallet.sso file as expected
SHUTDOWN IMMEDIATE;
(also tried net stop/start OracleServiceXE and rebooting Windows)
STARTUP;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "&&encpassword" CONTAINER = ALL;
-- This errors with ORA-28367: wallet does not exist
I've got, in my sqlnet.ora:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =
(DIRECTORY = ... path ...)))
Here, the ... path ... matches the value for wallet_root, but without the trailing '\'.
I have tried with and without the trailing '\' and by changing '\' to '/' throughout each of the sqlnet.ora and wallet_root parameter settings, restarting the database and listener several times. The only difference I find is that when I add a trailing '\' to the sqlnet.ora path, the listener will not start as it can't parse the parameters.
And, yes, I have tried switching it off and on again (rebooting Windows completely). The only side effect of that was that it seemed to revert my listener.ora to one without the XE instance configured so I can't connect to the database unless it's started by "net start OracleServiceXE".
When I try the next step:
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY myPassword WITH BACKUP CONTAINER=ALL;
.. this fails with "ORA-46658: keystore not open in the container", which is hardly a surprise but does at least show that I've not run into an error I can ignore for whatever reason!
I'm new to encryption in Oracle, so I've probably missed something critical.
Could it, for example, be the size and/or complexity of the password I'm using?
TNS_ADMIN is not set either in the registry or system environment, so my sqlnet and listener files are in DBHOME/network/admin. I guess if that needs to be set, it may need another reboot.
If anyone can offer an insight into this, it would be greatly appreciated. If I've missed some important configuration information then apologies - please ask for it.
Thank you,
Tim