ORA-28417
Tried to close wallet that we created for transparent data encryption (TDE), but we got ORA-28417 like this:
SQL> administer key management set keystore close identified by welcome1 container=all;
administer key management set keystore close identified by welcome1 container=all
*
ERROR at line 1:
ORA-28417: password-based keystore is not open
ORA-28417 means that the password-protected keystore is not open, so you don't need to close it. In my opinion, you can take it as a warning rather than an error.
OK! Then who is in charge of the wallet? Let's take a look.
SQL> set linesize 200;
SQL> column inst_id format 9;
SQL> column con_id format 9;
SQL> column wallet_type format a10;
SQL> column status format a5;
SQL> column wrl_parameter format a62;
SQL> select inst_id, con_id, wallet_type, status, wrl_parameter from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYP STATU WRL_PARAMETER
------- ------ ---------- ----- --------------------------------------------------------------
1 1 AUTOLOGIN OPEN /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde/
1 2 AUTOLOGIN OPEN
1 3 AUTOLOGIN OPEN
2 1 AUTOLOGIN OPEN /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde/
2 2 AUTOLOGIN OPEN
2 3 AUTOLOGIN OPEN
6 rows selected.
The auto-login keystore is working now.
If the keystore that you want to close is AUTOLOGIN, then you should open force password-protected keystore to implicitly close AUTOLOGIN.
In some cases, you may want to remove auto-login keystore from wallet completely, not just close it.
Solutions
Here we make the password-protected keystore open again, then close it.
Open Force Keystore
We need to add a FORCE option to open it.
Open Keystore
SQL> administer key management set keystore open force keystore identified by welcome1 container=all;
keystore altered.
Where welcome1 is the password of wallet in this case, you should use yours.
Show Wallet Status
SQL> show pdbs;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 ORCLPDB READ WRITE NO
SQL> select inst_id, con_id, wallet_type, status, wrl_parameter from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYP STATU WRL_PARAMETER
------- ------ ---------- ----- --------------------------------------------------------------
1 1 PASSWORD OPEN /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde/
1 2 AUTOLOGIN OPEN
1 3 PASSWORD OPEN
2 1 PASSWORD OPEN /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde/
2 2 AUTOLOGIN OPEN
2 3 PASSWORD OPEN
6 rows selected.
As we can see, password-protected keystore is open and in charge now.
In case that OPEN FORCE KEYSTORE cannot open password-protected keystore correctly, you may consider removing auto-login keystore from wallet completely to make password-protected keystore take the charge.
Close Keystore
Closing password-protected keystore means that you want to close it and enable AUTOLOGIN again.
SQL> administer key management set keystore close identified by welcome1 container=all;
keystore altered.
This time, no ORA-28417.
Show Wallet Status
SQL> select inst_id, con_id, wallet_type, status, wrl_parameter from gv$encryption_wallet order by 1,2;
INST_ID CON_ID WALLET_TYP STATU WRL_PARAMETER
------- ------ ---------- ----- --------------------------------------------------------------
1 1 AUTOLOGIN OPEN /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde/
1 2 AUTOLOGIN OPEN
1 3 AUTOLOGIN OPEN
2 1 AUTOLOGIN OPEN /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde/
2 2 AUTOLOGIN OPEN
2 3 AUTOLOGIN OPEN
6 rows selected.
AUTOLOGIN is back again.
Remove Auto-Login Keystore
If the above solution didn't work, we can remove auto-login keystore to make password-protected keystore take the charge, then close it. This is a stronger way to do it.
if we forgot the password then how to resolve this error
Do you mean no one remember the password? It’s pretty bad.