Professional Documents
Culture Documents
1
Copyright (c) 2019, Oracle. All rights reserved. Oracle Confidential.
In this Document
Goal
Solution
APPLIES TO:
GOAL
A TDE wallet created in ASM cannot be manipulated at OS level because the commands cp,mv,orapki can corrupt the
wallet files stored in ASM location.This restriction is specific to TDE wallet file stored in ASM location only ( not for TDE
wallet file stored in local OS directory).
For this reason there are four methods to manipulate the master keys from an ASM TDE wallet.
SOLUTION
The following preliminary steps are provided to have a starting point for the scenario. If the wallet is already created
in ASM the steps 1-3 can be ignored.
The various aspects of the employed syntax are explained in the Oracle ADMINISTER KEY MANAGEMENT
documentation. Please refer to it for details.
keystore altered.
ENCRYPTION_WALLET_LOCATION =
(SOURCE=(METHOD=FILE)
(METHOD_DATA =
(DIRECTORY=+NEWDG/DB12C/wallet)))
keystore altered.
SQL> administer key management set encryption key identified by oracle_123 with backup;
keystore altered.
SQL> administer key management create auto_login keystore from keystore '+NEWDG/DB12C/wallet'
identified by oracle_123;
keystore altered.
Method #1 - Create a local keystore and merge the ASM keystore into the local keystore:
keystore altered.
SQL> administer key management merge keystore '+NEWDG/DB12C/wallet' identified by oracle_123 into
existing keystore '/home/oracle/wallet_tde' identified by oracle_123 with backup;
keystore altered.
SQL>
SQL>
Method #2 - Create an ASM keystore and merge the old ASM keystore into the new ASM keystore:
keystore altered.
SQL> administer key management merge keystore '+NEWDG/DB12C/wallet' identified by oracle_123 into
existing keystore '+RECOVERY/DBFWDB/WALLET1' identified by Oracle_555 with backup;
keystore altered.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1v56uijfv_536&id=2193264.1 2/4
9/28/2019 Document 2193264.1
Method #3 - Export the master keys to a file and import them into the local keystore of a different 12c database :
SQL> administer key management export encryption keys with secret "my_secret" to
'/home/oracle/export_TDE.exp' identified by oracle_123;
keystore altered.
SQL>
SQL> administer key management import keys with secret "my_secret" from
'/home/oracle/roxana/export_TDE.exp' identified by oracle_123 with backup;
keystore altered.
Method #4 - Copythe wallet from an ASM directory to another ASM directory using DBMS_FILE_TRANSFER.COPY_FILE.
The current wallet is created in location +EVENTDATA/DBFWDB/WALLET:
BEGIN
DBMS_FILE_TRANSFER.COPY_FILE(
END;
Note:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1v56uijfv_536&id=2193264.1 3/4
9/28/2019 Document 2193264.1
In a Data Guard environment the only method to copy an ASM wallet from the primary database to the standby
database is to use merge method. The attempt to export the keys from the primary database and import them in the
standby database will fail with the following error because the keys are already present in standby database data
dictionary.
ERROR at line 1:
ORA-46655: no valid keys in the file from which keys are to be imported
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=1v56uijfv_536&id=2193264.1 4/4