Thanks for the question, Rick.
Asked: November 17, 2016 - 4:09 pm UTC
Last updated: November 21, 2016 - 12:56 am UTC
Version: RDBMS 11.2.0.3
Viewed 1000+ times
You Asked
Under what conditions would an ORACLE.SECURITY.TS.ENCRYPTION.xxxxx not be present in the wallet after enabling tablespace encryption? All previous attempts to enable TDE on other databases resulted in the following entries - the most recent did not include the TS entry in 1 of 3 attempts on different db instances of same version. When was the Master Key unified - version 11.2.0.3?
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.xxxxx
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.TS.ENCRYPTION.xxxxx
Running Oracle 11gR2 on RedHat Lunix 5.x
Created Wallet - ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "xxxxx";
Created auto open - orapki wallet create -wallet $ORACLE_BASE/admin/$ORACLE_SID/encrypt_wallet/ -auto_login
Created encrypted TS, viewed data and strings on datafiles confirmed encryption along with ENCRYPTED=YES for TS
Display of wallet contents:
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.xxxxx
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Trusted Certificates:
and Connor said...
In 11g, the wallet location can be specified using ENCRYPTION_WALLET_LOCATION in sqlnet.ora (in fact, we recommend you do this, so a separate wallet is used for encryption).
But if you've done 'alter system' first, and nothing was in sqlnet.ora, then I think what will happen is we will create a wallet in the default location, $ORACLE_BASE/admin/"db"/wallet, so the entries may have been created there, not in the wallet you manually created.
But I'd recommend setting ENCRYPTION_WALLET_LOCATION so locations are explcitly referenced.
Hope this helps.
Is this answer out of date? If it is, please let us know via a Comment