Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

TDE - wallet issues after attempting HSM inclusion

toonieSep 27 2016 — edited Sep 28 2016

Hi all,

I have started playing around wth TDE in a sandbox environment and was working successfully with a wallet key store in 11gR2.

The below details some of the existing wallet configuration. 

SQL>  select * from v$encryption_wallet;
WRL_TYPE             WRL_PARAMETER                                      STATUS
-------------------- -------------------------------------------------- ------------------
file                 /opt/mis/oracle/admin/$ORACLE_SID/wallet           OPEN
HSM                                                                     CLOSED
SQL> host ls -lrt /opt/mis/oracle/admin/$ORACLE_SID/wallet
total 12
-rw------- 1 oracle dba 3957 Sep 27 08:13 ewallet.p12.1
-rw------- 1 oracle dba 4034 Sep 27 08:13 cwallet.sso.1
-rw-r----- 1 oracle dba 2581 Sep 27 08:14 ewallet.p12
SQL> select * from V$ENCRYPTED_TABLESPACES ;
       TS# ENCRYPT ENC ENCRYTPEDKEY                                                     MASTERKEYID                      BLOCKS_ENCRYPTED BLOCKS_DECRYPTED
---------- ------- --- ---------------------------------------------------------------- -------------------------------- ---------------- ----------------
         6 AES128  YES B0B17E918E2C9C4600E6B6815E908C1400000000000000000000000000000000 9D53535239654F09BF95FF58A676ECB1                0                0
         
SQL> host orapki wallet display -wallet   /opt/mis/oracle/admin/$ORACLE_SID/wallet
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:     
Requested Certificates: 
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries: 
ORACLE.SECURITY.DB.ENCRYPTION.AWYHU7J/Mk9Wv54JrHcW4EEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Trusted Certificates:

However, as can be noted above in the output of the first command - I then attempted to incorporate a HSM interaction also using Key Vault [Something along the lines of: alter system set encryption key identified by "null" migrate using "Easy2rem";]and now I am having some issues.

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem";
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem"
*
ERROR at line 1:
ORA-28353: failed to open wallet
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Easy2rem";
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Easy2rem"
*
ERROR at line 1:
ORA-28353: failed to open wallet
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "Easy2rem";
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "Easy2rem"
*
ERROR at line 1:
ORA-28365: wallet is not open

I am not sure what the current status is to be quite honest but this is a sandbox environment so no issue if it has to be destroyed however...

Is it possible for me to rollback from the TDE implementation - i.e. disable it or at the very least reset the 'wallet open' password or TDE master key to direct me back towards a "fresh"

starting point? Or how Can I remove reference to the HSM wallet?

Just looking for a little help in order to diagnose where would one begin to troubleshoot such a TDE issue?

Thanks in advance,

Ruan
This post has been answered by Vlad Visan-Oracle on Sep 28 2016
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Oct 26 2016
Added on Sep 27 2016
#database-security, #database-security-general
4 comments
4,430 views