TDE 迁移 合并 密码忘记 处理

How to Migrate TDE Oracle Wallets from File System to ASM ?
 

SOLUTION

Make sure to try this in Dev / Test environment to make sure it is working fine as expected.

Create a wallet in ASM location and then merge the local file system wallet content into the ASM new wallet and also update sqlnet.ora to point to ASM wallet location.

Below is the standard process to Migrate TDE Wallet from OS File System to ASM

1. Create new keystore in ASM by running:
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '' IDENTIFIED BY **** ;

2. Edit sqlnet.ora and set the ENCRYPTION_WALLET_LOCATION to point to ASM wallet.


3. Open the keystore.
SQL> administer key management set keystore open identified by *****;


4. Merge wallet contents:
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '' IDENTIFIED BY INTO EXISTING KEYSTORE '' IDENTIFIED BY WITH BACKUP;

Check the 12c documentation for more details.

https://docs.oracle.com/cloud/latest/db121/ASOAG/asotrans_mgr.htm#ASOAG10323

GOAL

How To copy the TDE Wallet From ASM to Local OS File.

SOLUTION

We will need to create a temporary keystore in any temporary location in the file-system and merge the keystore from the ASM to this file system.


Below is an example for that.

1) mkdir -p /tmp/TDEwallet/

2)  Create a NEW keystore somewhere on the filesystem.  Example:  
    SQL> administer key management create keystore '/tmp/TDEwallet/' identified by ;

3)  Merge the renamed ASM keystore into the filesystem keystore.  
Example:
    SQL>  administer key management merge keystore '+ASM_Wallet_Location' identified by "" into existing keystore '/tmp/TDEwallet/' identified by mywallet123 with backup;
    NOTE:  This requires that you know the password for the older ewallet file!

4)  cd /tmp/TDEwallet/

5)  ls -lrt  
   (This is to check and record the size of the file.)

6)  orapki wallet display -wallet /tmp/TDEwallet/
   (This will output the contents of the wallet.)
   NOTE:  This requires that you know the password for the password file.

CAUSE

looks like wallet files got corrupted and not able to view teh wallet content using orapki wallet display command
 
> orapki wallet display -wallet /oracle/P99/ewallet.p12 -pwd Sa*******
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.

Got tag 10 instead of 16.
 

SOLUTION

+++++++++++++++

Take a valid backup of your wallet files ( ewallet.p12 and cwallet.sso)

create a temporary keystore in any temporary location in the file-system and merge the keystore from the old location to this new location

1. Create a new empty wallet using orapki at some other location than the original wallet.

$ pwd


$ orapki wallet create -wallet . -pwd ******
$ ls -ltr

-rw-rw-rw- 1 ewallet.p12.lck
-rw------- 1 ewallet.p12

2. Merge the existing keystore into newly created empty wallet. Here for the first Keystore there is no need to specify the password as it's Auto-Login.

SQL> ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '' INTO EXISTING KEYSTORE '' IDENTIFIED BY WITH BACKUP;

keystore altered.

3. Now Just check the contents of the newly Merged wallet and make sure it's same as the original wallet

cd
$ ls -ltr

-rw------- 1 ewallet.p12
-rw------- 1 cwallet.sso


$ orapki wallet display -wallet

Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.


4. At this point if it's checked it didn't affect the existing wallet

SQL> select * from v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
------------------------------------------------------------------------------------------------
FILE OPEN AUTOLOGIN SINGLE NO 0

5. change the wallet location in sqlnet.ora incase of 12c .
if you are in 19c and using wallet_root and tde_configuration parameter then change them accordingly.
 

 

  • As per the above note IDs, there is no way to recreate / decrypt the password. 

    Raised a SR and they provided me the below action plan and it worked in my case.

    1.Take a backup of folder /u01/appdata/config/wallet/xx/tde to /u01/appdata/config/wallet/xxxxx/tde_backup

    2.Create a folder tde_temp under /xxx/appdata/config/wallet/xxxx/

    3.Connect to DB as sys and run the commands below.Provide any new value for password

    SQL>ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/xxx/appdata/config/wallet/xxx/tde_temp' IDENTIFIED BY ;

    SQL>!ls -ltr /xxxx/appdata/config/wallet/xxx/tde_temp

    SQL>ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/***/appdata/config/wallet/xxx/tde' INTO EXISTING KEYSTORE '/xxx/appdata/config/wallet/xxxx/tde_temp' IDENTIFIED BY WITH BACKUP;

    SQL>!ls -ltr /xxxx/appdata/config/wallet/xxxxx/tde_temp

    SQL>ADMINISTER KEY MANAGEMENT CREATE auto_login keystore from keystore '/xxxx/appdata/config/wallet/xxxx/tde_temp' identified by "";

    4.Run the commands below and provide the output

    $cd /xxxx/appdata/config/wallet/xxxx/tde_temp

    $ls -ltr

    $mkstore -wrl /xxxx/appdata/config/wallet/xxxx/tde_temp -viewEntry

    $orapki wallet display -wallet /xxx/appdata/config/wallet/xxxx/tde_temp

    Checked the "orapki wallet display" for Password >> Successful

    Checked the actual keys for the tablespaces >> Successfully matching the key in Wallet >>you are fine to use the wallet

    Now,

    -- rename the existing wallet file (ewallet.p12)

    -- rename old autologin - (cwallet.sso)

    -- copy the new wallet (ewallet.p12) to the actual location

    -- restart database ( all instances in case of RAC)

    -- startup Database (one instance in RAC)

    -- Open wallet with new password

    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY ;

    -- Create new Autologin

    SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '' IDENTIFIED BY ;

    -- copy new ewallet.p12 file and new cwallet.ssp file to all instances location

    -- start other instance

    Note - This action plan might not work in every case

    FlagQuoteOff Topic1Like

  • SureshMuddaveerappa

    SureshMuddaveerappa Sr Data Warehouse Architect Posts: 15,669 Tanzanite

    Mar 31, 2022 4:06AM

    Hello User_62P17,

    In your case it worked out well since the original wallet by itself was fine (along with the contents including the needed TDE keys). The only issue in your situation was the 'lost' password. Due to this into the new temp wallet (that was created) the original TDE keys (from the 'lost' wallet) could be merged.

    ... the "orapki wallet display" for Password >> Successful

    This is coming from the new wallet you had to create. Good to know you were able to salvage and thanks on the update.

    Cheers -- Suresh

你可能感兴趣的:(数据库,oracle)