ORA-46638
There're two error patterns of ORA-46638 in this post.
Incorrect Source Location
Let's see the source of wallet location.
SQL> show parameter wallet_root
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string /u01/app/oracle/product/19.0.0
/db_1/admin/ORCLCDB/wallet
We followed the WALLET_ROOT to specify the source keystore location, and we got ORA-46638.
SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup;
administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup
*
ERROR at line 1:
ORA-46638: merging of the two keystores failed
Is there any key in WALLET_ROOT?
[oracle@primary01 ~]$ ll /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet
total 0
drwxr-x--- 2 oracle asmadmin 80 Aug 2 2021 tde
Apparently, no. There's no key in this location, the keys are under ./tde, not WALLET_ROOT.
[oracle@primary01 ~]$ ll /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde
total 20
-rw------- 1 oracle asmadmin 5512 Aug 2 2021 cwallet.sso
-rw------- 1 oracle asmadmin 2555 Aug 2 2021 ewallet_2021080208481713.p12
-rw------- 1 oracle asmadmin 5467 Aug 2 2021 ewallet.p12
Therefore, the solution is to specify the direct path of source keystores, in this case, the correct source location is:
Don't worry, I'll show you the correct statement in the last section.
Incorrect Source or Target Password
Suppose the correct password is welcome1, then we use incorrect source or target password on purpose to do merging.
Incorrect Source Password
SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome2" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup;
administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome2" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup
*
ERROR at line 1:
ORA-46638: merging of the two keystores failed
Incorrect Target Password
SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome2" with backup;
administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome2" with backup
*
ERROR at line 1:
ORA-46638: merging of the two keystores failed
Of course, you should use the right password on both sides.
The successful statement is as below.
SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "weclome1" with backup;
keystore altered.
In summary, ORA-46638 means that Oracle is unable to merge two keystores due to incorrect passwords or incorrect location of source keystores. That is, you should use not only correct passwords, but also correct location of keystore in merging statement to solve ORA-46638.
A practical example of merging keystores is to migrate wallet from file system into ASM.