9/28/2019 Document 2193264.

1
Copyright (c) 2019, Oracle. All rights reserved. Oracle Confidential.

How To Manage A TDE Wallet Created In ASM (Doc ID 2193264.1)

In this Document

Goal
Solution

Encryption keys transport methods :

APPLIES TO:

Advanced Networking Option - Version 12.1.0.2 and later

Information in this document applies to any platform.

GOAL

A TDE wallet created in ASM cannot be manipulated at OS level because the commands cp,mv,orapki can corrupt the
wallet files stored in ASM location.This restriction is specific to TDE wallet file stored in ASM location only ( not for TDE
wallet file stored in local OS directory).

For this reason there are four methods to manipulate the master keys from an ASM TDE wallet.

SOLUTION

The following preliminary steps are provided to have a starting point for the scenario. If the wallet is already created
in ASM the steps 1-3 can be ignored.

The various aspects of the employed syntax are explained in the Oracle ADMINISTER KEY MANAGEMENT
documentation. Please refer to it for details.

1) Create a keystore in a ASM diskgroup:

SQL> administer key management create keystore '+NEWDG/DB12C/wallet' identified by oracle_123;

keystore altered.

2) Edit sqlnet.ora and set the ENCRYPTION_WALLET_LOCATION to point to ASM wallet:

ENCRYPTION_WALLET_LOCATION =
(SOURCE=(METHOD=FILE)
(METHOD_DATA =
(DIRECTORY=+NEWDG/DB12C/wallet)))

3) Open the keystore and create a master key:

SQL> administer key management set keystore open identified by oracle_123;

keystore altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID

-------------------- ------------------------------ ------------------------------ ---------------
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1v56uijfv_536&id=2193264.1 1/4
9/28/2019 Document 2193264.1
----- --------- --------- ----------
ASM +NEWDG/DB12C/wallet/ OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED 0

SQL> administer key management set encryption key identified by oracle_123 with backup;

keystore altered.

SQL> administer key management create auto_login keystore from keystore '+NEWDG/DB12C/wallet'
identified by oracle_123;

keystore altered.

Encryption keys transport methods :

Method #1 - Create a local keystore and merge the ASM keystore into the local keystore:

SQL> administer key management create keystore '/home/oracle/wallet_tde' identified by oracle_123;

keystore altered.

SQL> administer key management merge keystore '+NEWDG/DB12C/wallet' identified by oracle_123 into
existing keystore '/home/oracle/wallet_tde' identified by oracle_123 with backup;

keystore altered.

SQL>

SQL> !orapki wallet display -wallet /home/oracle/wallet_tde

Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AZ2dYp1/C09kv80ZbUw+Jp8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.AZ2dYp1/C09kv80ZbUw+Jp8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:

SQL>

Method #2 - Create an ASM keystore and merge the old ASM keystore into the new ASM keystore:

SQL> administer key management create keystore '+RECOVERY/DBFWDB/WALLET1' identified by

Oracle_555;

keystore altered.

SQL> administer key management merge keystore '+NEWDG/DB12C/wallet' identified by oracle_123 into
existing keystore '+RECOVERY/DBFWDB/WALLET1' identified by Oracle_555 with backup;

keystore altered.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1v56uijfv_536&id=2193264.1 2/4
9/28/2019 Document 2193264.1

Method #3 - Export the master keys to a file and import them into the local keystore of a different 12c database :

SQL> administer key management export encryption keys with secret "my_secret" to
'/home/oracle/export_TDE.exp' identified by oracle_123;

keystore altered.

SQL>

SQL> administer key management import keys with secret "my_secret" from
'/home/oracle/roxana/export_TDE.exp' identified by oracle_123 with backup;

keystore altered.

Method #4 - Copythe wallet from an ASM directory to another ASM directory using DBMS_FILE_TRANSFER.COPY_FILE.
The current wallet is created in location +EVENTDATA/DBFWDB/WALLET:

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID

-------------------- ------------------------------ ------------------------------ ---------------

----- --------- --------- ----------

ASM +EVENTDATA/DBFWDB/WALLET/ OPEN UNKNOWN SINGLE NO 0

create or replace directory old_keystore as '+EVENTDATA/DBFWDB/WALLET';

create or replace directory new_keystore as '+RECOVERY/DBFWDB/WALLET';

BEGIN

DBMS_FILE_TRANSFER.COPY_FILE(

source_directory_object => 'old_keystore',

source_file_name => 'ewallet.p12',

destination_directory_object => 'new_keystore',

destination_file_name => 'ewallet.p12');

END;

PL/SQL procedure successfully completed.

Note:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1v56uijfv_536&id=2193264.1 3/4
9/28/2019 Document 2193264.1

In a Data Guard environment the only method to copy an ASM wallet from the primary database to the standby
database is to use merge method. The attempt to export the keys from the primary database and import them in the
standby database will fail with the following error because the keys are already present in standby database data
dictionary.

ERROR at line 1:

ORA-46655: no valid keys in the file from which keys are to be imported

Didn't find what you are looking for?

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1v56uijfv_536&id=2193264.1 4/4