WALLET_ROOT
In How to enable Oracle TDE 19c in RAC DB, we put the wallet in every server of a RAC database. Since the wallet is in file system, it's easy to copy, backup and migrate to testing or standby database.
However, you can also choose ASM to put the wallet, a shared storage location. But the drawback is that it's hard to migrate it from one ASM to another, even managing is not easy.
Before we move wallet into ASM, let's see current location of WALLET_ROOT.
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /u01/app/oracle/product/19.0.0
/db_1/admin/ORCLCDB/wallet
Currently, the wallet is in file system.
SQL> select inst_id, con_id, wallet_type, status from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYPE STATUS
---------- ---------- -------------------- ------------------------------
1 1 AUTOLOGIN OPEN
1 2 AUTOLOGIN OPEN
1 3 AUTOLOGIN OPEN
2 1 AUTOLOGIN OPEN
2 2 AUTOLOGIN OPEN
2 3 AUTOLOGIN OPEN
6 rows selected.
The current wallet statuses in all PDB look good, the auto-login keystore is in charge now.
Let's see current keystore files.
[oracle@primary01 ~]$ cd /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde/
[oracle@primary01 tde]$ ll
total 20
-rw------- 1 oracle oinstall 5512 Aug 2 2021 cwallet.sso
-rw------- 1 oracle oinstall 2555 Aug 2 2021 ewallet_2021080208481713.p12
-rw------- 1 oracle oinstall 5467 Aug 2 2021 ewallet.p12
As we can see, both password-protected keystore (ewallet.p12) and auto-login keystore (cwallet.sso) are existing as we thought.
If everything is fine, let's start to move the wallet into ASM.
Make directory for WALLET_ROOT in ASM.
Yes, we have to create the destination we need in advance.
[grid@primary01 ~]$ asmcmd mkdir +DATA/ORCLCDB/wallet
[grid@primary01 ~]$ asmcmd mkdir +DATA/ORCLCDB/wallet/tde
Create an initial keystore for ASM.
We connect to the RAC database by SYS.
SQL> administer key management create keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1";
keystore altered.
Check the newly created keystore.
[grid@primary01 ~]$ asmcmd ls -l +DATA/ORCLCDB/wallet/tde
Type Redund Striped Time Sys Name
KEY_STORE UNPROT COARSE FEB 08 13:00:00 N ewallet.p12 => +DATA/ORCLCDB/KEY_STORE/ewallet.312.1096118671
Merge the old keystore into the new one.
SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup;
keystore altered.
There could be some error like ORA-46638 needs to be solved when you merged the two keystores.
As you can see, we specify both source and target key location for migrating wallet.
Check the keystore again.
[grid@primary01 ~]$ asmcmd ls -l +DATA/ORCLCDB/wallet/tde
Type Redund Striped Time Sys Name
KEY_STORE UNPROT COARSE FEB 08 13:00:00 N ewallet.p12 => +DATA/ORCLCDB/KEY_STORE/ewallet.312.1096118671
KEY_STORE UNPROT COARSE FEB 08 13:00:00 N ewallet_2022020805252278.p12 => +DATA/ORCLCDB/KEY_STORE/ewallet.313.1096118723
Change WALLET_ROOT.
SQL> alter system set wallet_root='+DATA/ORCLCDB/wallet' sid='*' scope=spfile;
System altered.
It needs a restart to take it effect.
[oracle@primary01 ~]$ srvctl stop database -d orclcdb
[oracle@primary01 ~]$ srvctl start database -d orclcdb
Make sure the parameter is correct.
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string +DATA/ORCLCDB/wallet
The status of wallet might look not right, but it's OK.
SQL> select inst_id, con_id, wallet_type, status from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYPE STATUS
---------- ---------- -------------------- ------------------------------
1 1 UNKNOWN CLOSED
1 2 UNKNOWN CLOSED
1 3 UNKNOWN CLOSED
2 1 UNKNOWN CLOSED
2 2 UNKNOWN CLOSED
2 3 UNKNOWN CLOSED
6 rows selected.
This is because we haven't create auto-login keystore for it.
Create auto-login keystore.
SQL> administer key management create auto_login keystore from keystore identified by "welcome1";
keystore altered.
Let's see the new auto-login keystore in ASM.
[grid@primary01 ~]$ asmcmd ls -l +DATA/ORCLCDB/wallet/tde
Type Redund Striped Time Sys Name
AUTOLOGIN_KEY_STORE UNPROT COARSE FEB 08 13:00:00 N cwallet.sso => +DATA/ORCLCDB/AUTOLOGIN_KEY_STORE/cwallet.317.1096119023
KEY_STORE UNPROT COARSE FEB 08 13:00:00 N ewallet.p12 => +DATA/ORCLCDB/KEY_STORE/ewallet.312.1096118671
KEY_STORE UNPROT COARSE FEB 08 13:00:00 N ewallet_2022020805252278.p12 => +DATA/ORCLCDB/KEY_STORE/ewallet.313.1096118723
Check the status of wallet again.
SQL> select inst_id, con_id, wallet_type, status from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYPE STATUS
---------- ---------- -------------------- ------------------------------
1 1 AUTOLOGIN OPEN
1 2 AUTOLOGIN OPEN
1 3 AUTOLOGIN OPEN
2 1 AUTOLOGIN OPEN
2 2 AUTOLOGIN OPEN
2 3 AUTOLOGIN OPEN
6 rows selected.
It's working normally.
As I said earlier, wallet in ASM is a little hard to manage, you cannot directly operate on key files like we do in file system. However, if you have changed your mind, you can reverse the process by moving the wallet out of ASM anytime.
Did you delete the old wallet from the filesystem?
No, I didn’t.
Can you share the Oracle Doc id or references to configure on wallet & migrate file system to ASM.
Thank you
OK, here is the documentation: 4.1.10 Moving a Software Keystore Out of Automatic Storage Management
Hello Ed,
I have migrate wallet to ASM. every thing is running fine.Getting
ewallet.p12 not present at +DATA/peni/tde/ while quering
!orapki wallet display -wallet +DATA/peni/tde/ however below command is showing result
SQL> !orapki wallet display -wallet /home/oracle/wallet/
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ARGrgLIokk+vv76wxnXqhPkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.ARGrgLIokk+vv76wxnXqhPkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
ASMCMD> pwd
+DATA/peni/tde
ASMCMD> ls -lt
Type Redund Striped Time Sys Name
KEY_STORE MIRROR COARSE JUL 23 16:00:00 N ewallet_2023072310512194.p12 => +DATA/peni/KEY_STORE/ewallet.307.1142958081
KEY_STORE MIRROR COARSE JUL 23 16:00:00 N ewallet.p12 => +DATA/peni/KEY_STORE/ewallet.308.1142958007
INST_ID CON_ID WALLET_TYPE STATUS WRL_PARAMETER
——- ———- ——————– ————————- —————
1 0 PASSWORD OPEN +DATA/peni/tde/
2 0 PASSWORD OPEN +DATA/peni/tde/
Thanks for your feedback!