Move Wallet out of ASM
In case that you found it's difficult to manage the wallet in ASM, I provide a way to move it out of ASM. In fact, moving it out of ASM is just a reverse procedure of moving wallet into ASM.
Let's see current location of WALLET_ROOT.
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string +DATA/ORCLCDB/wallet
SQL> select inst_id, con_id, wallet_type, status from gv$encryption_wallet order by 1,2;
Currently, the wallet is in ASM.
INST_ID CON_ID WALLET_TYPE STATUS
---------- ---------- -------------------- ------------------------------
1 1 AUTOLOGIN OPEN
1 2 AUTOLOGIN OPEN
1 3 AUTOLOGIN OPEN
2 1 AUTOLOGIN OPEN
2 2 AUTOLOGIN OPEN
2 3 AUTOLOGIN OPEN
6 rows selected.
The current wallet statuses in all PDB look good, the auto-login keystore is in charge now.
Let's see current keystore files.
[grid@primary01 ~]$ asmcmd ls -l +DATA/ORCLCDB/wallet/tde
Type Redund Striped Time Sys Name
AUTOLOGIN_KEY_STORE UNPROT COARSE FEB 15 15:00:00 N cwallet.sso => +DATA/ORCLCDB/AUTOLOGIN_KEY_STORE/cwallet.315.1096129175
KEY_STORE UNPROT COARSE FEB 08 16:00:00 N ewallet.p12 => +DATA/ORCLCDB/KEY_STORE/ewallet.312.1096126975
KEY_STORE UNPROT COARSE FEB 08 15:00:00 N ewallet_2022020807432025.p12 => +DATA/ORCLCDB/KEY_STORE/ewallet.313.1096127001
As we can see, both password-protected keystore (ewallet.p12) and auto-login keystore (cwallet.sso) are existing as we thought.
If everything is fine, let's start to move the wallet into ASM.
1. Make directory for WALLET_ROOT in ASM.
[oracle@primary01 ~]$ mkdir -p /u01/app/oracle/admin/ORCLCDB/wallet/tde
2. Create an initial keystore in file system.
SQL> administer key management create keystore '/u01/app/oracle/admin/ORCLCDB/wallet/tde' identified by "welcome1";
keystore altered.
Check the newly created keystore.
[oracle@primary01 ~]$ ll /u01/app/oracle/admin/ORCLCDB/wallet/tde
total 4
-rw------- 1 oracle asmadmin 2555 Feb 15 16:27 ewallet.p12
3. Merge the old keystore into the new one.
SQL> administer key management merge keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '/u01/app/oracle/admin/ORCLCDB/wallet/tde' identified by "welcome1" with backup;
keystore altered.
There could be some error like ORA-46638 needs to be solved when you merged the two keystores.
As you can see, we specify both source and target key location for migrating wallet.
Check the keystore again.
[oracle@primary01 ~]$ ll /u01/app/oracle/admin/ORCLCDB/wallet/tde
total 12
-rw------- 1 oracle asmadmin 2555 Feb 15 16:27 ewallet_2022021508273877.p12
-rw------- 1 oracle asmadmin 5467 Feb 15 16:27 ewallet.p12
4. Change WALLET_ROOT.
SQL> alter system set wallet_root='/u01/app/oracle/admin/ORCLCDB/wallet' sid='*' scope=spfile;
System altered.
It needs a restart to take it effect.
[oracle@primary01 ~]$ srvctl stop database -d orclcdb
[oracle@primary01 ~]$ srvctl start instance -d orclcdb -i ORCLCDB1
Here we open only one instance for the following steps.
Make sure the parameter is correct.
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /u01/app/oracle/admin/ORCLCDB/
wallet
The status of wallet might look not right, but it's OK.
SQL> select inst_id, con_id, wallet_type, status from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYPE STATUS
---------- ---------- -------------------- ------------------------------
1 1 UNKNOWN CLOSED
1 2 UNKNOWN CLOSED
1 3 UNKNOWN CLOSED
This is because we haven't create auto-login keystore for it.
5. Create auto-login keystore.
SQL> administer key management create auto_login keystore from keystore identified by "welcome1";
keystore altered.
Let's see the new auto-login keystore in ASM.
[oracle@primary01 ~]$ ll /u01/app/oracle/admin/ORCLCDB/wallet/tde
total 20
-rw------- 1 oracle asmadmin 5512 Feb 15 16:31 cwallet.sso
-rw------- 1 oracle asmadmin 2555 Feb 15 16:27 ewallet_2022021508273877.p12
-rw------- 1 oracle asmadmin 5467 Feb 15 16:27 ewallet.p12
Check the status of wallet again.
SQL> select inst_id, con_id, wallet_type, status from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYPE STATUS
---------- ---------- -------------------- ------------------------------
1 1 AUTOLOGIN OPEN
1 2 AUTOLOGIN OPEN
1 3 AUTOLOGIN OPEN
6. Copy Wallet to Other Nodes.
Here we use scp to recursively copy the wallet to node 2.
[oracle@primary01 ~]$ scp -rp /u01/app/oracle/admin/ORCLCDB/wallet primary02:/u01/app/oracle/admin/ORCLCDB/
ewallet.p12 100% 5467 5.9MB/s 00:00
ewallet_2022021508273877.p12 100% 2555 4.6MB/s 00:00
cwallet.sso 100% 5512 8.4MB/s 00:00
We should check the copy is complete. On node 2:
[oracle@primary02 ~]$ ll /u01/app/oracle/admin/ORCLCDB/wallet/tde
total 20
-rw------- 1 oracle oinstall 5512 Feb 15 16:31 cwallet.sso
-rw------- 1 oracle oinstall 2555 Feb 15 16:27 ewallet_2022021508273877.p12
-rw------- 1 oracle oinstall 5467 Feb 15 16:27 ewallet.p12
7. Copy Wallet to Other Nodes.
We restart the RAC database to open it on all nodes.
[oracle@primary01 ~]$ srvctl stop database -d orclcdb
[oracle@primary01 ~]$ srvctl start database -d orclcdb
Check the status of wallet again.
SQL> select inst_id, con_id, wallet_type, status from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYPE STATUS
---------- ---------- -------------------- ------------------------------
1 1 AUTOLOGIN OPEN
1 2 AUTOLOGIN OPEN
1 3 AUTOLOGIN OPEN
2 1 AUTOLOGIN OPEN
2 2 AUTOLOGIN OPEN
2 3 AUTOLOGIN OPEN
6 rows selected.
It's working normally.