Skip to Main Content
  • Questions

  • TDE Encryption Wallet Change Password

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Graham.

Asked: April 16, 2018 - 3:43 pm UTC

Last updated: May 22, 2018 - 6:33 am UTC

Version: 11G release 11.2.0.1.0

Viewed 10K+ times! This question is

You Asked

Requirement
We need to be able to change the password on our Oracle TDE Encryption Wallet, which we use to encrypt some of our Tablespaces.

This frequently asked questions article states that this can be done with OWM or orapki

http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A13019

We therefore used the orapki command as follows:

orapki wallet change_pwd -wallet /oracle/admin/wallet -oldpwd myoldpassword1 -newpwd mynewpassword1

Following this, we were able to list the contents of the wallet as follows:

orapki wallet display -wallet /oracle/admin/wallet -pwd mynewpassword1

It appeared that the password has been successfully changed and is ready to use.

Issue
The Oracle database instance was no longer able to open the encryption wallet.

Following a restart of the Oracle instance, if we try to select from a table in the encrypted tablespace, we get the following Oracle error:

ERROR at line 1:
ORA-28365: wallet is not open

To open the encryption wallet, we normally use the following command in sqlplus:

ALTER SYSTEM SET ENCRYPTION WALLET OPEN identified by "mynewpassword1";

However, following the password change, this command now produces the following error:

ERROR at line 1:
ORA-28367: wallet does not exist

It appears that the wallet has now been somehow corrupted.

and Connor said...

Is it possible your sqlnet.ora parameters are incorrect, or perhaps your TNS_ADMIN etc is set so that the sqlnet.ora is not being accessed. Because I performed the steps you mentioned on an 11g instance (11.2.0.4 in my case) without incident.

sqlnet.ora
==========
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
    (DIRECTORY=C:\oracle\wallet)))

SQL> conn / as sysdba
Connected.

SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Password1";

System altered.

SQL> create tablespace SECURETS
  2  datafile 'C:\ORACLE\ORADATA\DB11\SECURETS.DBF' size 50m
  3  encryption using 'AES256'
  4  default storage(encrypt);

Tablespace created.

SQL>
SQL> alter user SCOTT quota unlimited on SECURETS;

User altered.

SQL> create table scott.secure_data tablespace securets
  2  as select * from dba_objects;

Table created.

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.

--
-- then I changed the password
--
C:\>orapki wallet change_pwd -wallet c:\oracle\wallet -oldpwd Password1 -newpwd Password2
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

--
-- proved that the new password was in effect
--
SQL> startup
ORACLE instance started.

Total System Global Area 2622255104 bytes
Fixed Size                  2284104 bytes
Variable Size             637535672 bytes
Database Buffers         1962934272 bytes
Redo Buffers               19501056 bytes
Database mounted.
Database opened.
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Password1";
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Password1"
*
ERROR at line 1:
ORA-28353: failed to open wallet


SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Password2";

System altered.

SQL> conn scott/tiger
Connected.

SQL> select max(owner) from secure_data;

MAX(OWNER)
------------------------------
XDB

SQL>
SQL>


but any kind of inconsistency at the OS level ends up in the behaviour you are seeing, eg

1) sqlnet.ora missing or wrong

ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
    (DIRECTORY=C:\oracle\wallet.wrong)))

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Password2";
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Password2"
*
ERROR at line 1:
ORA-28367: wallet does not exist


2) wallet files inaccessible (permissions or location)

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Password2";
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Password2"
*
ERROR at line 1:
ORA-28367: wallet does not exist


On my system, trying to "deliberately" confuse things by setting TNS_ADMIN did not have an impact, ie, the database always looked in $ORACLE_HOME/network/admin/sqlnet.ora, but check yours to make sure that is not playing a role as well.

If all of that is valid, then have a chat with Support to see if the following bugs apply to you:

Bug 9692876 tde wallets modified with owm cannot be opened by tde anymore
Bug 9215461 begin tse master key rekey with hsm give ora-28362

and if if that is the case, then you'll need to patch to 11.2.0.3 or greater I think.

Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database