Skip to content
Home » Oracle Database » Encryption » How to Resolve ORA-46638: merging of the two keystores failed

How to Resolve ORA-46638: merging of the two keystores failed

ORA-46638

There're two error patterns of ORA-46638 in this post.

Incorrect Source Location

Let's see the source of wallet location.

SQL> show parameter wallet_root

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
wallet_root                          string      /u01/app/oracle/product/19.0.0
                                                 /db_1/admin/ORCLCDB/wallet

We followed the WALLET_ROOT to specify the source keystore location, and we got ORA-46638.

SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup;
administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup
*
ERROR at line 1:
ORA-46638: merging of the two keystores failed

Is there any key in WALLET_ROOT?

[oracle@primary01 ~]$ ll /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet
total 0
drwxr-x--- 2 oracle asmadmin 80 Aug  2  2021 tde

Apparently, no. There's no key in this location, the keys are under ./tde, not WALLET_ROOT.

[oracle@primary01 ~]$ ll /u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde
total 20
-rw------- 1 oracle asmadmin 5512 Aug  2  2021 cwallet.sso
-rw------- 1 oracle asmadmin 2555 Aug  2  2021 ewallet_2021080208481713.p12
-rw------- 1 oracle asmadmin 5467 Aug  2  2021 ewallet.p12

Therefore, the solution is to specify the direct path of source keystores, in this case, the correct source location is:

WALLET_ROOT/tde

Don't worry, I'll show you the correct statement in the last section.

Incorrect Source or Target Password

Suppose the correct password is welcome1, then we use incorrect source or target password on purpose to do merging.

Incorrect Source Password

SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome2" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup;
administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome2" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome1" with backup
*
ERROR at line 1:
ORA-46638: merging of the two keystores failed

Incorrect Target Password

SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome2" with backup;
administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "welcome2" with backup
*
ERROR at line 1:
ORA-46638: merging of the two keystores failed

Of course, you should use the right password on both sides.

The successful statement is as below.

SQL> administer key management merge keystore '/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/wallet/tde' identified by "welcome1" into existing keystore '+DATA/ORCLCDB/wallet/tde' identified by "weclome1" with backup;

keystore altered.

In summary, ORA-46638 means that Oracle is unable to merge two keystores due to incorrect passwords or incorrect location of source keystores. That is, you should use not only correct passwords, but also correct location of keystore in merging statement to solve ORA-46638.

A practical example of merging keystores is to migrate wallet from file system into ASM.

Leave a Reply

Your email address will not be published. Required fields are marked *