如何重建encrytion wallet in ORA-28374

如何重建encrytion wallet  in ORA-28374 



当使用TDE(Transparent Data Encryption)  对数据库进行加密时,使用的密钥是随机生成的,这一随机生成的密钥,又会被masterkey进行加密,而masterkey会存放在encryption wallet或者HSM里, 以下内容是 TDE用作加密表列与加密表空间两种场景下重建encryption  wallet的过程(重建一般用于wallet文件以外丢失而又不能恢复的情况 ,这种情况是我们最不希望看到的,因为这 必然会导致加密数据的丢失, 定期备份wallet的重要性可想而知)
##新建wallet,将masterkey存放于wallet里
mkdir -p /oradata06/wallet


vi sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
   (SOURCE=
       (METHOD=FILE)
       (METHOD_DATA=
          (DIRECTORY= /oradata06/wallet)
     )


alter system set encryption key identified by abcd_1234;


ls -l /oradata06/wallet
total 16
-rw-r--r--    1 oracle   oinstall       1573 Sep 22 15:43 ewallet.p12


oracle@qc570709b:/home/oracle>mkstore -wrl /oradata06/wallet -list
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ASS+rtwdxk9Gv/Hs6TIV7pgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   --masterkey
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.TS.ENCRYPTION.BS8N9QmwrZrPOcpY6aJPnZYCAwAAAAAAAAAAAAAAAAAAAAAAAAAA  --这行不知道是什么即使重建完masterkey后这行始终不变


create table t1 (id number,col1 varchar2(1) encrypt);
insert into t1 values(1,'A');
commit;


select * from v$encrypted_tablespaces;
no rows selected


select * from enc$;
      OBJ#     OWNER#
---------- ----------
MKEYID                                                               ENCALG
---------------------------------------------------------------- ----------
    INTALG
----------
COLKLC
--------------------------------------------------------------------------------
    KLCLEN       FLAG
---------- ----------
   5532091          1
ASS+rtwdxk9Gv/Hs6TIV7pgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA                      3
         1
417741414141414141414141414141414141414141414454386D533354745A6A726F66365A425A43
2B56456D2F61307266754434474136716331576F456D7146437533516B63396B614D37347A78696C
426361645673773D
        88


mkstore -wrl /oradata06/wallet -list
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ASS+rtwdxk9Gv/Hs6TIV7pgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.TS.ENCRYPTION.BS8N9QmwrZrPOcpY6aJPnZYCAwAAAAAAAAAAAAAAAAAAAAAAAAAA


mkstore -wrl /oradata06/wallet -viewEntry ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY = ASS+rtwdxk9Gv/Hs6TIV7pgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


//////////////////////////////////////////////////////
//在masterkey用于column encrypt的情况下重建wallet
//////////////////////////////////////////////////////
--先备份原先加密的表
create table t1_bak as select * from t1;


--备份完之后的表是不加密的
SQL> desc t1_bak;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 ID                                                 NUMBER
 COL1                                               VARCHAR2(1)


--重命名ewallet.p12文件
cd /oradata06/wallet
mv ewallet.p12 ewallet.p12.old


--重新select t1表发现还能select出来,创建新的加密表也能成功,wallet还处于open状态,因为wallet open后整个内容会被加载到SGA里,所以文件本身的删除暂不会影响到TDE
select * from t1;


select * from v$encryption_wallet


WRL_TYPE             WRL_PARAMETER                            STATUS
-------------------- ---------------------------------------- ------------------
file                 /oradata06/wallet                        OPEN


create table t2 (id number,col2 varchar2(1) encrypt);


Table created.


--close Wallet
alter system set wallet close identified by ABCD_1234;


System altered.


SQL> select * from poweruser.t1;
select * from poweruser.t1
                        *
ERROR at line 1:
ORA-28365: wallet is not open


--重新打开ewallet,终于报错了,直到将wallet从ewallet.p12.old命名回原来的名称ewallet.p12后才能正常open wallet
alter system set wallet open identified by ABCD_1234;


System altered.


--知道了上述特性后按照删除wallet文件->重置masterkey的方式来重建wallet
**删除步骤略去。。。
**下面重置masterkey
alter system set encryption key identified by ABCD_5678;
ERROR at line 1:
ORA-28362: master key not found


select * from v$encryption_wallet


WRL_TYPE             WRL_PARAMETER                  STATUS
-------------------- ------------------------------ ------------------
file                 /oradata06/wallet              OPEN


--虽然报错,但新的wallet文件还是生成了,上面的ORA-28362意指数据库中还存在有使用老的masterkey加密的encryption key,但这个老的masterkey没有包含在当前新建的wallet文件里,
SQL> alter system set encryption key identified by ABCD_5678;
alter system set encryption key identified by ABCD_5678
*
ERROR at line 1:
ORA-28362: master key not found


SQL> alter system set wallet close identified by ABCD_5678;


System altered.


select * from v$encryption_wallet
WRL_TYPE             WRL_PARAMETER                  STATUS
-------------------- ------------------------------ ------------------
file                 /oradata06/wallet              CLOSED


--t1表的masterkeyid还是和原来一样


      OBJ#     OWNER# MKEYID                                                               ENCALG     INTALG
---------- ---------- ---------------------------------------------------------------- ---------- ----------
COLKLC
------------------------------------------------------------------------------------------------------------------------
    KLCLEN       FLAG
---------- ----------
   5532091          1 ASS+rtwdxk9Gv/Hs6TIV7pgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA                      3          1
417741414141414141414141414141414141414141414454386D533354745A6A726F66365A425A432B56456D2F61307266754434474136716331576F
456D7146437533516B63396B614D37347A78696C426361645673773D
        88


   5532115          1 ASS+rtwdxk9Gv/Hs6TIV7pgAAAAAAAAAAAAAAAAAAAAAAAAAAAAA                      3          1
4177414141414141414141414141414141414141414143496C4B734A38665A4269746C3354444F307154716355434151433233597342474E63416F54
727368394C72597054304D784179696473475372616B36465631303D
        88


--重建wallet,该错误表示用来加密column encrypted key的masterkey没有存在于新建的wallet文件中
alter system set encryption key identified by "ABCD_5678";


*
ERROR at line 1:
ORA-28396: rekey of enc$ dictionary table failed


oracle@qc570709b:/oradata06/wallet>ls -rlt
total 16
-rw-r--r--    1 oracle   oinstall       1573 Sep 22 16:44 ewallet.p12


--新的masterkey
oracle@qc570709b:/oradata06/wallet>mkstore -wrl /oradata06/wallet -list
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AS00Ujj7+U8RvxZt4qnX594AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.ATctymEWWk/fv60qAOI6VB0AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY


mkstore -wrl /oradata06/wallet -viewEntry ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Enter wallet password:
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY = AS00Ujj7+U8RvxZt4qnX594AAAAAAAAAAAAAAAAAAAAAAAAAAAAA


--drop掉t1、t2表
drop table t1;
drop table t2;


--再次重置encryption key成功,因为t1、t2表都已经drop掉了,没有masterkey游离于wallet之外了
alter system set encryption key identified by "ABCD_5678";


System altered.


oracle@qc570709b:/oradata06/wallet>mkstore -wrl /oradata06/wallet -list
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AS00Ujj7+U8RvxZt4qnX594AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.ATctymEWWk/fv60qAOI6VB0AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AW2PpYY4208ivx+gbbg1f+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AX+sAfvKQE9Cv0kEE2bOLogAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY


//////////////////////////////////////////////////////
/////////masterkey用于表空间加密的情况下重建wallet
//////////////////////////////////////////////////////
--创建加密表空间ts_ecrypt03
SQL> alter system set encryption key identified by "ABCD_5678";


System altered.


SQL> create tablespace ts_ecrypt03 datafile '/oradata06/datafile/encrypt03.dbf' size 128m encryption using 'AES128' default storage(encrypt);


Tablespace created.


--创建加密表空间中的表
create table bb (username encrypt using 'AES192',userid,created) tablespace ts_ecrypt03 as select * from all_users;


Table created.


SQL> desc bb;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 USERNAME                                  NOT NULL VARCHAR2(30) ENCRYPT
 USERID                                    NOT NULL NUMBER
 CREATED                                   NOT NULL DATE


SQL> select * from enc$;


no rows selected


SQL> select * from v$encrypted_tablespaces;


       TS# ENCRYPT ENC
---------- ------- ---
ENCRYTPEDKEY
----------------------------------------------------------------
MASTERKEYID                      BLOCKS_ENCRYPTED BLOCKS_DECRYPTED
-------------------------------- ---------------- ----------------
        59 AES128  YES
2ED20D971328D51A29EA193597DF99BC00000000000000000000000000000000
0906B7C73B864F9DBF120BB2112359D0                2                1


--用来加密TS_ECRYPT03表空间encrypted key所用的masterkey
select  name,utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr(mkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(mkeyid,5,length(mkeyid)))) masterkeyid_base64  FROM (select t.name, RAWTOHEX(x.mkid) mkeyid from v$tablespace t, x$kcbtek x where t.ts#=x.ts# and t.name like 'TS_ECRYPT%');


NAME
------------------------------
MASTERKEYID_BASE64
--------------------------------------------------------------------------------
TS_ECRYPT03
AQkGt8c7hk+dvxILshEjWdA=


--加密bb表encrypted key的masterkey和加密TS_ECRYPT03表空间encrypted key所用的masterkey相同
SQL> select mkeyid from enc$;


MKEYID
----------------------------------------------------------------
AQkGt8c7hk+dvxILshEjWdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA




--删除wallet文件
mv ewallet.p12 ewallet.p12.0922_5


--直接重置masterkey,生成新的wallet文件,新的wallet文件里没有包含老的masterkey,所以ORA-28362
alter system set encryption key identified by ABCD_7890;
*
ERROR at line 1:
ORA-28362: master key not found


--上述命令还是生成了新的masterkey
oracle@qc570709b:/oradata06/wallet>mkstore -wrl /oradata06/wallet -viewEntry ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:          90
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY = AWUTpq98gU9Mv9aqMy8ssiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


--由于新的wallet文件里没有包含ts_ecrypt03创建时使用的masterkey所以下列语句报错
SQL> select * from bb;
select * from bb
              *
ERROR at line 1:
ORA-28362: master key not found


--此时创建新的加密表空间也失败
create tablespace ts_ecrypt04 datafile '/oradata06/ecrypt04' size 128m encryption using 'AES128' default storage(encrypt);


*
ERROR at line 1:
ORA-28374: typed master key not found in wallet


--再次重置masterkey后又遇到了ORA-28396,这次是因为encrypted tablespace里的那张加密的表bb
alter system set encryption key identified by ABCD_7890;
*
ERROR at line 1:
ORA-28396: rekey of enc$ dictionary table failed


--把bb表drop,reset masterkey终于恢复正常
SQL> drop table poweruser.bb;


Table dropped.


alter system set encryption key identified by ABCD_7890;


--新的加密表空间也创建成功
create tablespace ts_ecrypt04 datafile '/oradata06/ecrypt04.dbf' size 128m encryption using 'AES128' default storage(encrypt);


Tablespace created.


--查看wallet文件内容
mkstore -wrl /oradata06/wallet -list
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AUzti1Pbdk8/v2jYUGfEtgcAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AWUTpq98gU9Mv9aqMy8ssiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AZrgeKbxDU9Gv8SedTZpX0UAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY


mkstore -wrl /oradata06/wallet -viewEntry ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY = AZrgeKbxDU9Gv8SedTZpX0UAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


--验证两个表空间均已经用上了最新的masterkey
select  name,utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr(mkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(mkeyid,5,length(mkeyid)))) masterkeyid_base64  FROM (select t.name, RAWTOHEX(x.mkid) mkeyid from v$tablespace t, x$kcbtek x where t.ts#=x.ts# and t.name like 'TS_ECRYPT%');
NAME
------------------------------
MASTERKEYID_BASE64
--------------------------------------------------------------------------------
TS_ECRYPT03
AZrgeKbxDU9Gv8SedTZpX0U=


TS_ECRYPT04
AZrgeKbxDU9Gv8SedTZpX0U=



Known TDE Wallet Issues (文档 ID 1301365.1)

In this Document

Goal
  1. Deleting and recreating the wallet in 11.2.0.1 fails with ORA-28374 even if no object is created.
  2. If deleting the wallet after creating TDE encrypted data (using column or tablespace encryption), the wallet can't be recreated.
  3. Modifying the wallet with OWM or orapki leads to various errors: ORA-600 [ZTSMSTORE FAILED], ORA-28368, ORA-28367, ORA-28362
  4. Opening the wallet on one of the RAC nodes closes it on the other node(s).
  5. PKI based master key wallets cannot be opened.
  6. After the upgrade to 11gR2, ORA-28374 is raised for TDE operations
  7. ORA-28374 raised for encrypted tablespace creation, 11gR1 specific (not occurring in 11gR2).
  8. Cannot access wallets stored on NFS
  9. RAC: After a node crash, the wallet is not open after node restart.
  10. Regenerating the master key using the wrong wallet can corrupt the database (Tablespace encryption only).
  11. Changing the wallet password using orapki with an associated auto-login wallet file cwallet.sso set read-only, the ewallet.p12 file will be erased.
Solution
  1. Deleting and recreating the wallet in 11.2.0.1 fails with ORA-28374 even if no object is created.
  2. If deleting the wallet after creating TDE encrypted data (using column or tablespace encryption), the wallet can't be recreated.
  3. Modifying the wallet with OWM or orapki leads to various errors: ORA-600 [ZTSMSTORE FAILED], ORA-28368, ORA-28367, ORA-28362
  4. Opening the wallet on one of the RAC nodes closes it on the other node(s).
  5. PKI based master key wallets cannot be opened
  6. After the upgrade to 11gR2, ORA-28374 is raised for TDE operations
  7. ORA-28374 raised for encrypted tablespace creation, 11gR1 specific (not occurring in 11gR2).
  8. Cannot access wallets stored on NFS
  9. RAC: After a node crash, the wallet is not open after node restart.
  10. Regenerating the master key using the wrong wallet can corrupt the database (Tablespace encryption only).
  11. Changing the wallet password using orapki with an associated auto-login wallet file cwallet.sso set read-only, the ewallet.p12 file will be erased.
References


APPLIES TO:

Oracle Security Service - Version 10.2.0.1 to 11.2.0.2 [Release 10.2 to 11.2]
Information in this document applies to any platform.

GOAL

This note is dedicated to the problems that have surfaced with the TDE wallet.

1. Deleting and recreating the wallet in 11.2.0.1 fails with ORA-28374 even if no object is created.

This issue affects only the 11.2.0.1 release
After this procedure:
1. create wallet using
alter system set encryption key identified by "password"
2. manually remove the wallet.
3. a subsequent attempt to recreate the wallet fails with: ORA-28374.

2. If deleting the wallet after creating TDE encrypted data (using column or tablespace encryption), the wallet can't be recreated.

To permanently remove TDE from a database, the procedure is:
1. decrypt all encrypted objects if needed.
2. drop the encrypted objects.
3. close the wallet.
4. perform a full log switch rotation and a checkpoint.
5. remove the wallet.
A subsequent attempt to recreate the wallet would raise this error: 
ORA-28362: master key not found
The wallet could be created. Trying to create new encrypted objects would raise:
ORA-28374: typed master key not found in wallet
This issue affects only the 11.2 release

3. Modifying the wallet with OWM or orapki leads to various errors: ORA-600 [ZTSMSTORE FAILED], ORA-28368, ORA-28367, ORA-28362

It is sometimes needed to modify the TDE wallet manually, using OWM or orapki, in order to change the wallet password or to make it auto login.
As a result, subsequent wallet access would fail with one of the errors 
ORA-600 [ZTSMSTORE FAILED], ORA-28368, ORA-28367, ORA-28362
The issue affects all Oracle releases using TDE.

4. Opening the wallet on one of the RAC nodes closes it on the other node(s).

When attempting to open the Transparent Data Encryption wallet on one of the RAC nodes the operation succeeds, however, on the other nodes the wallet is being closed.

5. PKI based master key wallets cannot be opened.

If trying to use a PKI based master key in release 11g, the v$wallet view does not display anything and it is not possible to open the wallet for TDE usage.
The CERT_ID value from v$wallet is needed to open the wallet in such a configuration using:
alter system set encryption key "" identified by "";

6. After the upgrade to 11gR2, ORA-28374 is raised for TDE operations

The database is upgraded to 11gR2 and trying to create a new encrypted object fails with:
ORA-28374 "typed master key not found in wallet"

7. ORA-28374 raised for encrypted tablespace creation, 11gR1 specific (not occurring in 11gR2).

Trying to create an encrypted tablespace in 11gR1 crashes with ORA-28374

8. Cannot access wallets stored on NFS

OWM, orapki, mkstore fails to access/open the TDE wallet stored on NFS shared location.
The error is:

PKI-02002: Unable to open the wallet. Check password.

9. RAC: After a node crash, the wallet is not open after node restart.

RAC with non-shared wallets. 
If one RAC node is crashes, the recovery is made properly on the other nodes, as expected.
Crashed node instance is restarted and goes correctly into open mode, but trying to access the encrypted data on this node fails with ORA-28365.
The wallet should be opened automatically due to the fact it is open on the other node.

10. Regenerating the master key using the wrong wallet can corrupt the database (Tablespace encryption only).

If a database with tablespace encryption is opened using an incorrect wallet and if the regeneration of the masterkey is attempted, the operation succeeds .
This has two negative effects:
1. corruption of blocks in buffer cache.
2. change of master key ID within the database dictionary.
Reopening the database with the correct wallet would not solve the problem because the new master key ID in the dictionary is not present in the proper wallet.

11. Changing the wallet password using orapki with an associated auto-login wallet file cwallet.sso set read-only, the ewallet.p12 file will be erased.

This problem happens if cwallet.sso is read-only (chmod 440), a password change using orapki will erase the ewallet.p12

chmod 440 cwallet.sso
orapki wallet change_pwd -wallet . -oldpwd welcome1 -newpwd welcome2
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

PKI-02003: Unable to load the wallet at: .
total 8

ls -l
-r--r----- 1 oracle dba 3589 Mar 18 15:34 cwallet.sso
-rw------- 1 oracle dba    0 Mar 18 15:34 ewallet.p12

 

SOLUTION

1. Deleting and recreating the wallet in 11.2.0.1 fails with ORA-28374 even if no object is created.

This issue is documented in:
Note 988022.1 Deleting and Recreating the Wallet in 11.2 Results in ORA-28374
It is permanently fixed in 11.2.0.2. 
Patches exist on most 11.2.0.1 releases.

2. If deleting the wallet after creating TDE encrypted data (using column or tablespace encryption), the wallet can't be recreated.

This issue has been investigated in:
BUG 11727498 - SECOND WALLET CREATED AFTER DELETE ORIGINAL DOES NOT HAVE TS MASTER KEY
The bug is fixed starting with release 11.2.0.3. For the 11.2.0.2 and 11.2.0.1 (if available), the Patch 11727498 should be applied.
Whenever recreating the wallet, make sure to do a full log switch rotation and a checkpoint after the wallet has been closed.

3. Modifying the wallet with OWM or orapki leads to various errors: ORA-600 [ZTSMSTORE FAILED], ORA-28368, ORA-28367, ORA-28362

This issue has been investigated in bug 9215461:
Bug 10086969 MATS:OPMN FAILS TO START DURING ASCORE PREFLIGHT
The bug is permanently fixed in 11.2.0.3. The backports exist for 11.2.0.2 and can be requested on the supported releases: 11.2.0.1, 11.1.0.7 and  10.2.0.5 (for customers with valid extended support contract only).

Subsequently, this new issue has been raised and behaves in a similar manner:
BUG 12756612 - WALLET MANAGER CORRUPTS TDE WALLET WHEN SAVING IT 
Appears starting with release 11.2.0.2 and is likely a regression of bug 10086969. It has a minor impact, given it has an easy to implement workaround:
Workaround:  Manually provide the wallet with "full control" permissions to "SYSTEM" after saving the wallet using OWM.

4. Opening the wallet on one of the RAC nodes closes it on the other node(s).

Problem caused by:
BUG 10431487 - ORA-28353 WHEN USING HSM IN 11.2.0.2 RAC
1. as a workaround, shorter passwords can be used. Depending on the NLS characterset, the functional length can vary, 8-12 character passwords have never failed.
2. Install Patch 10431487 if available or request a fix for the:
BUG 10431487 - ORA-28353 WHEN USING HSM IN 11.2.0.2 RAC
Permanently fixed in 11.2.0.3 and higher.

5. PKI based master key wallets cannot be opened

The problem was investigated in:
BUG 7410970 - V$WALLET DOESN'T SHOW THE RECORDS CREATED FOR PKI CERTIFICATES 
and it appears there are some limitations regarding the certificates that can be used for TDE. As seen in the above bug: "To use TDE with PKI key pairs, the issuing certificate authority must be able to issue X.509v3 certificates with the key usage field marked for encryption."
An example on how to do this is provided in:
Note 1320239.1 How to Create a Wallet to Use with TDE with PKI Key Pairs

6. After the upgrade to 11gR2, ORA-28374 is raised for TDE operations

The unified master encryption key and (for 10gR2 upgrades) the tablespace encryption key is missing. Generate the unified master encryption key using:

alter system set encryption key identified by "wallet_password";

(Documented in: Note 1260584.1)

7. ORA-28374 raised for encrypted tablespace creation, 11gR1 specific (not occurring in 11gR2).

This problem is 11gR1 specific. It is a more complex issue, documented in: Note: 757936.1

8. Cannot access wallets stored on NFS

Tools such as owm and orapki cannot access wallets stored on NFS. Still under investigation Bug 12959278 - PKI-02002 WHILE ACCESSING WALLET ON NFS
currently under investigation.

More generally it is not recommended to store TDE wallets on an NFS mounted drive, due to the occasional lag on NFS systems IO operations. As a result, a file write can cause serious issues such as internal error ora-600 [kcrf_decrypt_redokey_3] - whence the use of wallet on NFS is not recommended.

9. RAC: After a node crash, the wallet is not open after node restart.

Has been investigated in:
Bug 16089193 - AFTER CRASHED NODE RESTART, WALLET IS NOT ACCESSIBLE: ORA-28365
duplicate of:
Bug 16360112 - ORA-28365 WHEN QUERYING TDE TABLE EVEN IF WALLET IS ALREADY OPEN IN RAC ENV
The patch is available for 11.2.0.3. Permanently fixed starting with release 12.2.

10. Regenerating the master key using the wrong wallet can corrupt the database (Tablespace encryption only).

This matter is now subject of several bugs:

BUG 12633643 - ENHANCEMENT REQUEST FOR ENCRYPTED DATABASE OPENED WITH INCORECT WALLET 
BUG 18252487 - ORA-1578 AFTER MASTER REKEY OF INCORRECT EWALLET.P12
BUG 18282830 - NO ERROR WHEN REKEY IS PERFORMED ON INCORRECT WALLET FILE
BUG 18308279 - MASTER REKEY OF INCORRECT WALLET IS ALLOWED IN 11.2 AND 12.1

Until fixes for the above bugs are created, it is of outmost important to make sure the correct wallet is employed, especially if the master key is to be recycled.


11. Changing the wallet password using orapki with an associated auto-login wallet file cwallet.sso set read-only, the ewallet.p12 file will be erased.

Apart from always making a backup copy of the ewallet.p12 file, make sure cwallet.sso has write permissions:

chmod 600 cwallet.sso

before changing the wallet password using orapki, this issue is investigated in BUG 25914063. Patches can be requested for BUG 25914063 on specific platforms by filing backport request.

 

 

REFERENCES


BUG:9215461  - BEGIN TSE MASTER KEY REKEY WITH HSM GIVE ORA-28362
BUG:10431487  - ORA-28353 WHEN USING HSM IN 11.2.0.2 RAC

NOTE:1260584.1  - Ora-28374 After Migration To 11.2.0.x from earlier releases 10gR2 or 11gR1
NOTE:1320239.1  - How to Create a Wallet to Use with TDE with PKI Key Pairs
NOTE:757936.1  - Ora-28374: Typed Master Key Not Found In Wallet
NOTE:988022.1  - Deleting and Recreating the Wallet in 11.2 Results in ORA-28374
BUG:11727498  - SECOND WALLET CREATED AFTER DELETE ORIGINAL DOES NOT HAVE TS MASTER KEY
BUG:12756612  - WALLET MANAGER CORRUPTS TDE WALLET WHEN SAVING IT
BUG:12959278  - PKI-2002 ACCESSING WALLET ON NFS
BUG:7410970  - V$WALLET DOESN'T SHOW THE RECORDS CREATED FOR PKI CERTIFICATES
BUG:25914063  - EWALLET.P12 FILE CONTENTS GET ZEROED IF ASSOCIATED CWALLET.SSO IS SET TO READ-ON




Deleting and Recreating the Wallet in 11.2 Results in ORA-28374 (文档 ID 988022.1)

In this Document

Symptoms
Changes
Cause
Solution
References


APPLIES TO:

Advanced Networking Option - Version 11.2.0.1 to 11.2.0.1 [Release 11.2]
Information in this document applies to any platform.
Checked for relevance on 08-MAR-2013

SYMPTOMS

In 11.2.0.1, if performing the following sequence of commands, on a database where TDE has never been actually used results in a ORA-28374 error:

#1. create a new master encryption key, using

alter system set encryption key identified by "wallet password";


#2. delete the generated wallet, without creating any encrypted object beforehand.
#3. try to create a new master encryption key using again:

alter system set encryption key identified by "wallet password";


From here on, any attempt to do something related to TDE, eg, create an encrypted tablespace or rekey the master key, fails with the same error. In a RAC environment, the situation is even worse, because the wallets on the 2 or more nodes cannot be opened on all nodes simultanously, hence the system becomes unusable from TDE perspective.

CHANGES

The wallet file ewallet.p12 was inadvertently deleted.

CAUSE

BUG 8682102 - [DB11GR2_LNX]AFTER DELETE WALLET AND RECREATE IT RUN INTO ORA-28374 

This is a bug that applies only for the situation when 
1. the wallet has been generated for TDE purposes 
2. TDE has never been employed in the database *).
11.2 introduces new security restrictions related to the wallet disposal. A wallet should never be disposed of without previously removing the TDE related objects from the database.

* If objects have been created and dropped, then the wallet removed, the redo logs still hold encrypted data. Perform a full redo log switch rotation to clean the redo logs to erase this information from them as follows:

select count(*) X from v$log;
alter system switch logfile;


(repeat X times)

SOLUTION

The problem is solved starting with patchset 11.2.0.2. The Patch 8682102 is also delivered on 11.2.0.1 on some Operating Systems and PSU patch levelss. If needed, a patch can be requested depending on the support status of 11.2.0.1. On Windows the fix to this has also been included in the bundles as of Patch 4, see Note:1114533.1 .

REFERENCES


BUG:9032843  - REMOVING THE WALLET AND RECREATING IT RESULTS IN ORA-28374
NOTE:1241925.1  - Ora-28374 After Installing The Fix For Bug 8682102







来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/26736162/viewspace-2145525/,如需转载,请注明出处,否则将追究法律责任。

转载于:http://blog.itpub.net/26736162/viewspace-2145525/

你可能感兴趣的:(如何重建encrytion wallet in ORA-28374)