Disable Auto-Login
Sometimes, you may want to perform some operations directly using an open password-protected keystore without auto-login keystore. To close AUTOLOGIN temporarily, we can use OPEN FORCE KEYSTORE to make password-protected open and implicitly close AUTOLOGIN keystore, just like we did in how to resolve ORA-28417.
SQL> administer key management set keystore open force keystore identified by "welcome1" container=all;
keystore altered.
Except to disable it temporarily, we can remove the auto-login keystore permanently.
First of all, Let's see the location of WALLET_ROOT.
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /u01/app/oracle/product/19.0.0
/db_1/admin/ORCLCDB/wallet
Next, we should go to the location of WALLET_ROOT and see what we have there.
1. Remove Auto-Login from Wallet
Just like we said in how to enable Oracle TDE 19c for RAC databases, cwallet.sso is the auto-login keystore.
[oracle@primary01 ~]$ cd /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde
[oracle@primary01 tde]$ ll
total 20
-rw------- 1 oracle asmadmin 5512 Aug 2 16:48 cwallet.sso
-rw------- 1 oracle asmadmin 2555 Aug 2 16:48 ewallet_2021080208481713.p12
-rw------- 1 oracle asmadmin 5467 Aug 2 16:48 ewallet.p12
We moved the auto-login wallet as a backup one to make it step aside.
[oracle@primary01 tde]$ mv cwallet.sso cwallet.sso.backup
If the database is a RAC one, you should do this step on all nodes.
2. Close Auto-Login Keystore
Auto-login keystore is still working, we need to close it.
SQL> administer key management set keystore close container=all;
keystore altered.
SQL> select con_id, wallet_type, status from v$encryption_wallet order by 1,2;
CON_ID WALLET_TYPE STATUS
---------- -------------------- ------------------------------
1 UNKNOWN CLOSED
2 UNKNOWN CLOSED
3 UNKNOWN CLOSED
3. Open Password-Protected Keystore
Once auto-login keystore is close, we should open up the password-protected keystore.
SQL> administer key management set keystore open identified by "welcome1" container=all;
keystore altered.
SQL> select con_id, wallet_type, status from v$encryption_wallet order by 1,2;
CON_ID WALLET_TYPE STATUS
---------- -------------------- ------------------------------
1 PASSWORD OPEN
2 PASSWORD OPEN
3 PASSWORD OPEN
4. Re-create Auto-Login Keystore
Whenever we need auto-login, we can recreate it back.
SQL> administer key management create auto_login keystore from keystore identified by "welcome1";
keystore altered.
5. Close Password-Protected Keystore
Since we have recreated auto-login wallet back, we can close password-protected keystore to implicitly enable auto-login wallet.
SQL> administer key management set keystore close identified by "welcome1" container=all;
keystore altered.
SQL> select con_id, wallet_type, status from v$encryption_wallet order by 1,2;
CON_ID WALLET_TYPE STATUS
---------- -------------------- ------------------------------
1 AUTOLOGIN OPEN
2 AUTOLOGIN OPEN
3 AUTOLOGIN OPEN
It's back!