Skip to Main Content
  • Questions

  • Why does Wallet Manager prompt me for a password to open the wallet when I have an auto-login wallet?

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Christine.

Asked: December 10, 2015 - 3:37 pm UTC

Last updated: December 14, 2015 - 11:36 am UTC

Version: 12.1.0.2

Viewed 1000+ times

You Asked

I have an auto-login wallet (Auto Login is checked when I open the wallet in OWM) but it still prompts me for the password when I open the wallet in Wallet Manager. I have both the cwallet.sso and ewallet.p12 files in the same directory that is defined in the sqlnet.ora file with the WALLET_LOCATION attribute. I have no rows in v$wallet and I am not sure when that gets populated. Why does Wallet Manager prompt me for the password? I want to avoid having to issue an "alter system set encryption wallet open identified by "wallet_password" when I implement TDE tablespace encryption. I want the wallet to be open automatically when the database is started (mounted and opened) so what am I doing wrong?

and Connor said...

From http://www.oracle.com/technetwork/database/security/tde-faq-093689.html

"Oracle provides two different types of wallets: encryption wallet and (local) auto-open wallet. The encryption wallet (filename 'ewallet.p12') is the one recommended for TDE. It needs to be opened manually after database startup and prior to TDE encrypted data being accessed."

and then

"How do I create a (local) auto-open wallet?

A password-protected, encrypted wallet for the TDE master key might not be the right solution when database availability needs to be maintained without human intervention ('lights-out' operation); a (local) auto-open wallet does not require a wallet password after a database came up, so encrypted data is available to authorized users and applications.

A (local) auto-open wallet ('cwallet.sso') needs to be created from an existing encryption wallet ('ewallet.p12'), so that the master key can be transferred to the new auto-open wallet.

You can either open the encryption wallet in Oracle Wallet Manager (OWM), check the 'Auto Login' check box, then select 'Save' to write the auto-open wallet to disk, or, using the command-line tool 'orapki':

$ orapki wallet create -wallet <wallet_location> -auto_login
The syntax to create a local auto-open wallet is:

$ orapki wallet create -wallet <wallet_location> -auto_login_local
In both cases (Oracle Wallet Manager and 'orapki') the user will be prompted for the wallet password. Keep the encryption wallet; it is required for master key re-key operations, and potentially contains a list of retired master keys."

Hope this helps.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Does not answer the question

Tom, July 30, 2018 - 12:31 pm UTC

The question was why does a wallet that has auto_login checked in OWM still require a password when trying to display in orapki?
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.